LAWS OF MALAYSIA 


ACT 709 
PERSONAL DATA PROTECTION ACT 2010 


Dats or yt assena: 2 


“ARRANGEMENT OF SECTIONS 


Preamble 


An Act to regulate the processing of personal data in commercial 
tatters connectod thorowith and inelonal U 


ransactions and te provide for 


ENACTED by he Parlament of Malaysia as follows: 
PART I~ PRELIMINARY 

Section 1. Short title and commencement 

(1) This Act may ba Gio as the Personal Data Protection Act 2010. 


2) This Act comes ito operation on a date to be appointed by the Minster by rotiication in 
the Gazetie, and ihe Master may appoint der dates fr dileront provisions f tls Act 


Section 2. Application 
(0) This Aet applosto— 


(a) any person who processes: and 


i0) any person who hes contol over or authorizes the processing of, any personal deta in respect 
of commercial transactions 


{Ø Subject to subsection (1) this Act applies to a person in respect of personal deta t— 
(a) tha porscn i establishad in Malaysia and the personal data is processed, whother or not in the 


context of that establishment, by that person or any ather person employed or engaged by that, 
establishment or. 


t) he person snot established in Malaysia, but uses equipment in Melaysia for processing the 
personat data otherwise than for Ihe purposes of transit rou Malaysia. 


(5) A person falin within paragraph (2) Æ) shall nominate fcr the purposes of 
represeniatve esiablsbed in Malaysia, 


is Acta 


44) For the purposes of subsections (2) end (3), each of the following is to be tested es 
established n Malaysia. 


o) an individual whose physical presence in Malaysia shal! not bo less than one hundrod and 
ity deys rv one calendar year; 


ib) a body incorporated undor the Companies Act 1955 [Aet 125) 


ie) a parnership or other unnoorporated association formed under any writen laws in Malaysia; 
and 


(d) any person who does not fll witrin paragraph (a (bcr (c) boc malrtains i Malaysia — 
© an ofice, branch or agency ough which he caries on any activi or 

G) a regular practice. 

Section 3. Non-application 

(0) This Act shall noc apply o the Federal Government and State Governments. 


(2Y This Act shall not apply to any personal deta processed outside Malaysia unless thet personel 
data S tended to be luther processed in Malaysia. 


Section 4. Interpretation 
In this Ac. unless the conet otherwise requies 


"eredi reporting agency” has the meaning assigned to itin the Creci Reporting Agencies Act 
2010 [Act 710; 


"this Act" includes regulations, orders, notifications and other subsidiary legislation made under. 
tis Act 


"rogicer means the Rogister of Date Usars, Rogister of Data Usar Forums or Register of Codes 
of Practice; 


"personal data" means any infomation in respect of commorcial transactions, which— 


(a) is baing processed wnaly or partly by means of equipment operating automaticaly in 
response io iretructens guen for tat purpose: 


(b) recorded wih the intention that it shouid wholly or party be processed by means of such 
equipment; or 


is recorded as part ofa relevant fing system or with the intention that it should form part of a 
relevant fing systems 


thet retos directly or indirectly 1o a data subject, who is identified or dentable rom that 
"lormatin or rom that enc oiher formaron m he possession of 3 data user. mcluting any 
Sonstive personal data anc expression o opinion about the cota subject but doas not include: 
any informator that s procaszed far tho purposa of a erage raport ng business cared on by = 
rct roporing agency undor tho Credi Reporting Agoncice Act 2010: 


"sensitive personal data" means any personal data conssting of information as to the physical or. 


mertal heath or condition of a data subject, his political opinions, his religious beliefs or cher. 
beliefs of a sirrilar nature, the commission or alleged commission by him of ariy offence or eny 
oer personal dora as ie Minister may determi by order publlsvd inthe Gazete: 


"prescibed’ means prescribed by the Minster under this Ac! and where no mde is mentioned, 
means prescribed by artes published i he Gazette 


"Advisory Commitee’ means the Personel Data Protection Advisory Commitee established under 
section 70 


"Vial interests" means matters relating to ife, death or security of a data subject 
'Fund" means the Personal Data Protection Fund ostablshed undor soction 61; 


“use”, in elation to personal data, does not include the act of collecting or discscsing such 
porscrsi cata: 


‘colle in relation to personal data, means en aci by which such personal dala enters into or 
comes undor tho corral of a dara usar; 


"Mirister means the Mister charged withthe responsibilty for the protection of personal dala: 


"disclose", in relation to personal data, means an act by which such personal data is mado 
avaiable by a data user 


“relevent person’, in relation to a data subject, howsoever described, means— 


(a) in tna case ot a data subject who is below the age o eighteen years, tha arert, guardian or 
person who has parental responsibly lr the dato subject 


i) intha case ofa data subject who is incapable of managing his cum aes, a person who & 
apportod by a court to manago thoso affairs, or a person authorized n wrting bythe dota eubjoet 
i act on behalt of the data subject or. 


e) in any other case, a person suthorzad in writing by the data subject to make a data access 
request, data correction request. or beth such requests, on behal ofthe data subjoci; 


“authorized emer means any cer aumenzed in wnting by tna Commissioner under section 
Tn; 


"correction", in relation to personal data, includes amendment, variation, modification or deletion: 


‘requestor’. in relation to a data access request or data correction request, means the dale 
subject ar rhe relevant person on befal of The data subject vo has made ihe request 


"deta processor in relation 1o personal data, means eny person, other than an employee ofthe 
data user, who processes the personal deta Solely on behalf of he daia user, and does not 
process the personal data or any of hs own purposes: 


"Processing in relation to personal deta, means collecting, recording, holding or storing the 
personal data or carrying out any operation or se! of operations cn Wie personal data, including— 


(e) the organization, adaptation or alteration cf personal data: 
tha rtrioval consultation or uso af personal cat; 


ic) te clscicsure of personai cata by transmission, transfer, dissemination or othernise making 


avaiable oc 
(d) tho algrmort, combination, corraction, rasure or destruction of personal data: 
‘registration’ means the registration of a cata user under section 16; 


‘data user" means a person who einer alone or jointly or in common with ather persons 
processes any personal data or has coni oor or aethories the processing of any personal 
data, but does not include a data processor 


"relevant data user’. relation to— 


(2) an inspection, means the data user who uses the personal daa system which isthe 
Subject of he reperto 


(@) a complaint, means the data user specified in the complaint 
(e) an invostigation— 


i in the case ol an investigation intiated by a complaint means the data user spectiod in 
‘ho complaint 


(i in any other case, means the data user wha is the subject of ihe invesigsion: 
(9 an eniorcement notice, means the data user on whom the enforcement notice is serves 


"eredi reporting business" has the meaning assigned to it in the Credi Reporting Agencies Act 
2010: 


"Commissioner" moans tho Personal Data Protection Commissions appointed undoc section 47; 
‘third party’, in raistion to personal data, means any parson other than— 

(aa dana subject: 

(©) a relevant person in relation toa coa subject 

(e) a dato user 

(6) a data processor or 


{e)a person authorized in wing by the data user to process the personal dara under the 
ect contol of to data use 


"relevent fling system means any set of information relating o indices to the extent that, 
although the information is rx processed by means or aq men operata automatica ei 
Tesporse to istuctors quen torta purpose, ho so o Informaten is structured adhac by 
relorence to individuels or by reeronco ta ertora relating to individuals in such a wey tek 
‘poetic information relating toa particu indvidua is reed accessibles 


"ésta subject" means an individual who Is the subject o he personal date 


“appointed date" means the relevant date or dates, as the case may be, on which this Act comes 
Fio operation: 


‘code of practice" means the personal data protection oode of practice In respect of a specific 
cass of data users registered by the Commissioner pürsiert to section 21 or issued by he 


Commissioner under section 24 
“commercial transactions" moans any transaction of a commercial naturo, whothor contractual or 
not which includes any matters relating t the supply or exchange of goods or services, agency, 


Fesimerts, financing, benking ard insurance, bu does not dude a eect reporting busrtess 
‘aired ul by a credi reporting agency under the Credit Reporting Agencies Ack 2070, 


PART I- PERSONAL DATA PROTECTION 
Division 1 - Personal Data Protection Principles 
Section 5. Personal Data Protection Principles 


(0) The processing of personal dota by a data user shall be in compfance with the folowing 
Personal Data Protection Principles, amely 


(e) te General Principle 
(b) the Notico and Chelee Princi 
(alte Disclosure Principle: 
(the Secuiy Principle 
(e) he Retention Principe 
(he Data Inegriy Principle; and 
(Dhe Access Principle. 
as sat out in sections 6, T, 8, 9, 10, 1 and 12, 
(9) Subject to sections 45 ond 46, a data user who contravenes subsection (1) commits an 
offence ond shall. on conviction, be lable 1o a fine not exceeding ree hundred thousand ringgit 
fF fo imprisonment ar e term not exceecing tna years or o bath, 
Section 6. General Principle 
(0) A data user shall noi— 
{atin tho case of persona! data other than sensitive personal deta, process personal date 
bout a deta subject unless the data subject has quen his consent to fne processing of the 
personal data; or 


(b) in the case of sensitive personel deta, process sensitive personal data about a data subject 
Except in accordance with the provisions of section 40. 


{2) Notwithstancing paragraph (1) fe), a data user mey process porsonal data about a data subject 
the processing is necessary 


(a) for the performance of a contract to which the data subjectis a partye 


for tho taking of stops at tha request of tho data subject with a veu to ontoring ito 2 


(@ for compliance with any legal oblgaton to which the data user is the subject other than an 


‘obligation imposed by a contract 
(Gli ordor to protect tho vital intarosts ofthe data subject 
(0) for the administration of justice: or 
(0 forthe exercise of any functions conferred on any person by or under any law. 
(9) Personel deta shell not be processed unless— 


(a) tho personal data is processed for a lawful purpose directly roatod to an actiity of the data 


(o) ho procossing ol the porsonal data is nocossary for cr direc rolatod o that purpose; and 
(€) the personal data is adequate but ret excessive in relation ta het purpose: 

Section 7. Notice and Choice Principle 

(1) A data user shali by witen nauce rtorm a data subjeeti— 


(a) that personal data o the deta subjez is being processed by or on beha of ihe data user 
End shal prove a description of the personal daia to than data Subject; 


(othe purposes for which the personal data is being or is to be collected and further 
processed: 


(e) of ny informa 


n available to the deta user as to the source of that personal date 
(A of tho data subjects right to requoct accoss to and to request corrocton of ho personal 
eta and how to contact the deta user with any inquiries cr complaints in respect of the 
personal data; 


(eh of the class of third parties to whom the deta user decioses or may disclose the personal 
dota 


(fol tho choicos and moans tho date usor oor tho data subjoc forming the procossing of 
personal deta, including personal cata relating to other persons who may be idoried from 
that personal data; 

(gh whether its obligatory or voluntary for the deta subject to supply the porsonal data: and 


h} wher k Is oblgarny tor tha data subject to supply the personal data, the consequences for 
tha data subjact he falis to supply the personal data, 


12) The netice under subsection (1) shali be given as soon as practicable bythe data usar 
(9) when the data subject is frs asked by the deta user to provide his personal daia: 
(0) hen the deta user frst elect the personal data of he dita subject: or 
(6) any ethor casa, before tho data user— 


i uses the personal data of the data subject for a purpose other nan the purpose for which 
‘he persona! dae was collectadt: or 


(i iios the personal data toa thrd party. 


9) A notice under subsection (1) shall be in the national end Engish languages, and ihe 
divis! shall be provided nith a cler and readily accessible means to exercse his choice, 
iere necessary, the naional and Engish languages. 

Section 8. Disclosure Principle 


Subject 10 section 39, no persona data shall without the consert of the data subject. be 
p 


(a) fo any purpose other than— 


(i the purpose for which the personal data was to be disclosed at the time of collection of 
the personal dat or 


(i) « purpose directi related to the purpose refered to in subparagraph () oc 


(bito any party other than a third party of tho class of thí partos as spociod in paragraph 
30e) 


Section 9. Security Principle. 
(1) A data user shall, when processing porsonal dota, take practical stops to pretoct tho personal 
doo fom any loss, misuse, modfieaion, unauthorized or accidental access or disclosure 
akeraton or destruction by heving regard— 


(obo tho nature of ho personal data and the harm that would ros from such loss, misuse: 
rmodiicetin, unauthorized cr accidental access or decisure. alteration or destruction 


(Hohe place or locaton where he personal data is stored 


(cl to any security measures incorporated into ery ecuipmert in hich the personel dota is 
sored 


{dto the measures taken for ensuring the raliabilty, integrity onc competence of personna! 
having access tothe personal data: ord 


(olo the moasures token for ensuring the securo transfer of the personel deta: 
(2) Where processing of personal data is carried out by a cata processor on behal! of tho dala 
usor, the data usor shall, for tho purpose of protecting the personal dota from any loss, misuso, 
rrecifcaion, unauthorized or accidental access or disclosure, alteration or destruction, ensure 
thet the deta processor— 


(a) provides sufficient guarantees in respect of the technical and organizational socurity 
measures governing the processing to be carried cut; and 


(0) takes reasonable steps to ensure compliance with these measures. 


‘Section 10, Retention Principle 


(1) The personel deta processed for any purpose shall not be kept longer then is necessary for 
the fle ofthat pursose. 


{2) k shall be tho duty of a deta user o take al recsorcble steps to ensure thet al personal dais 
is destroyed or permanertly deleted if itis no longer required fer the purpose for which it was 10 
be processed 


Section 11. Data Integrity Principle. 


A data usor shall iaka reasonable steps to oneuro that tho personal data is accurato, compito 
nol misleading ere kept up-to-date by having regerd te the purpose, including any cirecty related 
purpose, for which the personal data was collected and further processed. 


Section 12. Access Principle 
A data subject shall bo givon accoss to his personal data hold hy a data user and bo abla 10 
Corract that personal dala where the personal data is accurate, neomplete, misleading or not 
Upto date, except where compliance with a request to such access or correction s refused under 
prs 

Division 2 - Registration 


‘Section 13. Application of this Division 


(IY This Division shall appy c a data user who belongs toa class of deta users as specified in the 
order made under subsection VQ) 


(2) A dats user who belongs to a cess of data users not specified in the order made under 
Sübsecton 14(1) shall comply with a the provisions ofthis Act other than the provisions of tis 
Dision relaiing to tne registration cf data users and matters connected thereto. 


Section 14. Registration of data users 
(0) Tho Ministar may, upon tho recommendation ol the Commissioner, by odor published in 
the Gazetie, spec a cias of data users who shall be requrod (a b regiiered a» data iso's 
under his Act. 


{@) The Commissioner shal, before making his recommendation under subsection (1), consult 
Wh 


(o) such bodios roprosontative o data users belonging 10 that class or 
(0) such other interested persons. 

Section 15. Application for registration 

(0) A person who belongs to the class of deta users as specified in the order made under 


Sobsecton 14(1) shall submit an sppication for regjstalon to the Commissioner in the manner 
and farm as determined by the Commissioner. 


(2) Every application for registration shal be accomparied vith the prescribed registration fee and 
Such documents as may be required by the Commissione 


(9) The Commissioner may in writing at any time after recsiing the application and before È is 
determined requie the apalican to provide such addtional documents or information within the 
time as specified by te Commissioner, 


(4) I the requirement under subsection (3) is not complied with, the applcation for registration 
shal ba deemed to have been wihdrawn by the applizan and shal not be futher proceeded with 
bythe Commissioner, bux wihout prejudice 10 a fresh apolicaion beig made by the epplicrt. 


Section 16, Certificate of registration 


(0) Aor having gon due consideration to an application under subsection 18/1) the 
Commissioner may— 


(oh register the applicant ard issue a cercate of registration to the applicant in such form as 
Getemined by the Commissions; or 


(o) refuse the application. 


{2) Tho certificato cf regisvation may bo issued subjoct to such conditons or rocictons as the 
Commissioner may thine itto impose, 


(2) Where the Commissioner refuses the application ler registration in pursuance of subsection 
(1) ho shat inform the applicant by a writon notice thet ho application has boon roused enc the 
reasers lor te refusal 


4) ^ parson who bclongs to the class of data usors as spectiod m tho older mado undor 
Subsecton 14(1) and who procossos persaral data without a cortiicate ol rogistretiorı issued in 
Purcucece of paragraph Se(1)fo) omms on offence and shall, on convicton, be Table to a fine 
hot exceeding five hundred thousand ringgt orto imprisonment fr a tera not exceeding three 
years oro bath, 


Section 17. Renewal of certificate of registration 


(1) A data usor may make an application for tho ronowal ofthe corificato of registration not lator. 
tan ninety days bafore the dato cf expiry of the corificate of registration in the manner and form 
as determined by te Commissioner and the application hall be accompanied with the prescribed 
renewal fec and such documents as may be requred by the Commisscrer. but ro appication for 
renewal shall be alowed where the application s made aher the date of expy of the cerflae of 
registration 


@ When renewing a certificate of regisuation, ihe Commissioner may vary the conditions or 
Tesicions imposed upon ihe issuance of ths certificata of registration or impose addiional 
ondtions or restrictions. 

(©) The Commissioner may refuse to rene a centřicate of registration — 


(oy it the data user has foiled to comply with any of the provisions ofthis Act; 


(bif the data user has faded to comply with any conditons cr restrictions imposed upon the 
issuance ofthe certificate of registrations cr. 


(chit he is satisfied tnat tn data user is unable to continue the processing o! personal date in 
accordance with this Act. 
‘Section 18, Revocation of registration 


(0) The Commissioner may revoke the registration of « data user if the Commissioner is satefed 
thet 


(a) the deta user has failed to comply with any ofthe provisions of this Act 


(o)the data user has faled to comply wth any condtions or rosiictions imposed upon the 
Issuance cl tho certiticate of registration: 


(EH the Issuance of the confeate of vegistrallon was induced by a false representation of fact 
by the data user; or 


(athe Gata user has ceased w carry on the processing of personal data. 


{2) Notwihstencing subsection (1), the Commissioner shal! not revoke the registration of a date 
user unless the Commissioner stisied that, alter ging the data user an opportunity of making 


s 


{any representation in writing he may wish to make the registration should be revoked. 


(9) Whore the rogisiration of tho data usar is rovokod, tho Commissioner shall issue a natio of 
revocation of registration to the data user, and the certificate ol registration issued in respect of 
such regsuation shal have no eflect upon service of the noice cf revocation of registration. 


4) A dato user whose registration has been reveked under this section and who continucs 10 
process personal data thereafter commis an offence and shall, on cerwction, be lable toa fine 
fot exceeding five hundred thousand ringgit or to imprisonmert for æ term not exceeding Ure 
years oro bath 


Section 19, Surrender of certificate of registration 
(1 Whore the coriicao of rogistiation is rovokod in pursuance of socton 18. tho holder ofthe 
certifice shall, within saven days from the date of servisa of the notce of revocaion of 
registration, surrender the certificate to the Commissioner, 

2) A person who fails to comply with subsoction (1) commits an offence and shall, on conviction, 
be isle t a fre not exceeding tne hundred thousand ringat of lo imprisonment for a tem not 
exceeding wo years cr to both. 

Section 20. Register of Data Users 

(1) The Commissioner shall maintain a Register ot Dara Users In accordance wth section 128 

©) The Register of Data Users shall contain the names of daia users who have been ragistered in 
pursuance of this Division and any other particulars regarding such data users as may be. 
atermin by the Commissioner. 

Division 3 - Dai user forum and code of pratic 

Section 21. Data user forum 

(1) The Commissioner may designeto a body as a data user lorum in respect ol a specie class of 


dato users for the purposes of ths Act by notifying trot body in wrting, if the Commissioner is 
Satisfied that 


(a)the membership of the body is open to al date users of that class 
(0) ha bccy s capable of performing as reculves undar the relevant provlons of ve Act; and 
(9 he body has a writen constitution. 


(2) The body shal agree in witing to be a data user forum before te designation is registered by 
the Commissioner in the Register of Data User Forums. 


(3) The Commissioner moy decide that on existing body that was previcusly designated as o daia 
User fourm under subsection (1) is no longer a data user ferum fr De purposes of this Act if he is 
Satisfied thatthe body ro longer meets the requirements as se cut in that subsection 


(4) Where the Commissioner decides that x exiting body which has been designated as a date 
user forum fs no longer a dato user forum for the purposes ofthis Act, he shall wihdaw the 
designation and subsequent cancel the registration of the designation in the Register of Daia 
Usar Forums. 


(©) A designation or withdrawal of designation under tis seston shall take affect from the date of 


registration af ie designator or the date ol cancelation ef the registralion of the desigretion, as 
the ease may be, or such ater date as specrled by the Commissioner. 


10 


Section 22. Register of Data User Forums 


(1) The Commissioner shal martain a Rogistor of Data User Forums in accordanco with section 
128. 


2) Tho Rogstor of Data User Forums shall contain tho namos of data user forums which have 
Beon designated onc registered in pursuance cf ths Division ard any other pariculars recerding 
such data user forums as may be determined by the Commissioner. 
Section 23. Code of practice 
(0) A deta user forum may prepare a code of praeice— 

(a) onis omn initiative: or 


(6) upon request by the Commissioner. 


(2) Tho data user forum shall, in preparing a code of practice under subsection (1), consider 
matters ineuing— 


(2) the purpose tor the processing o! personal data by the ceta user or lass of data users 
C) he views of the data subjects or groups representing data subjects: 


(e) the views of the relevent regulatory autherty, if any, to which the data user is subject to: 
ad 


(thatthe code of practice, upon having regard to all af the meters in paragraphs ( &) and 
(cl and any other matters, offers on adecuete leve! of protection for the personal data of the 
‘ta subjecis concemed. 


(9) The Commissioner may register the code of practice prepared pursuant to subsection (1), if 
the Commissions is satisfied tha— 


(o) the code of practice i consistent with the previsions of this Act; and 
(b) the mattors as set out in subsection (2) have been gven duo consideration. 


4) The code of practice undar subsection (1) shall tace efect on the date of registration of the 
ode cl practice by the Commissioner im the Register of Codes o! Practice. 


(6) If the Commissioner refuses to register the code of pracie, he Commissioner shall andy the 
Televani data usar forum of his derision h wrting and provite tn reasons for E 


6) W the Commissioner nether registers nor refuses to register a code of practice within thirty 
days fror the date of recep of the code of practice by him for reciraion he shall be deemed 10. 
have reused the registrator o he coda of practica, 

0) The Commissioner may regjister diferent codes of practice for diferent casses of data users 


6) The Commissioner and date user shal make available to the public any code of practice 
registered under subsection (3). 


Section 24. Commissioner may issue code of practice 


(1) The Commissioner may issue 2 codo ot practice, ii— 


u 


(o) a code cf pracice is nat prepared under paragraph 2a(1) (o 

(otho Commissioner is satistod that a codo of practico for a spocii class of data usors is 
Unlikely to be prepared by the relevant data user forum within the period os specified by ihe 
Commissioner cr 


[cl there is no date user forum to develop the relevant codo of practice for tho class of dote 


(9) Tho Commissioner shal, boforo issuing a codo of practico under subsocton (1), considor 
matters including 


(3) tho purpose for the procassing o! porsonal data bythe deta user or class of data users; 


(b) the views of the data users or groups representing dara users, to whieh the code of practice 
is applicatio; 


(6) the vews of the data subjects or groups representing cara subjects 


(athe views of the relevent regulatory authority, if any, to which the data user is subject to 
E 


(ebat the code of practice, upon having reoard io al of the maters in 
paragraphs (ah (b) end c) and any oher metiers, offers an adequate level of protection for the 
persona’ data ofthe deta subjects concemed. 

(9) The Commissioner moy issue different codes of practice for difeert lasses of data users. 


4) Tho codo of practico issuod by tho Commissioner under subsection (1) shall bo registred in 
the Register of Codes of Practico. 


(6) Tho codo of practica undor subsection (1) shall tako olfoc on tho date of registration of the 
code cf practice by the Commissioner, 


{© The Commissioner shal make avalabie to the public any cod of practice issued by him undar 
Subsecton (1). 


Section 25. Applicable code of practice 


(1) The Commissioner shal ensure that there is only one code of practice registered for a cass of 
daia users at a given ime: 


{© Al data users belonging to a class of data users shal! comply with the relevant registered code 
of practice tiet is applicatie to that cies of data users al a given me. 


(9) Where a code of procico is registered by the Commissioner under section 23 or 24, the 
Commissioner shall notify. in such manner as he may determine, the relevent class of dota users 
to hom the code of practice is applicable 


fa) ofthe idonity of the code of practice concemed and the dote on wich the code of practice 
is to take effect, ond 


O) o the spocfic requirements under this Act for which the code of practice is issued ond 
registered 


(4) If thore e any uncertainty or ambiguity as to which code of practico is applicable to a particular 


date user or deas of data users, the data user or person concemed may apply te the 
Commissioner for his opinion on wich code of practee i» Ue applicable code of practice in 


2 


relation to the circumstances of such data user or person. 


(6) Tho Comriscionor shall provido his opinion within thirty days from the dato of receipt of an 
application made under subsecton (4) 


(6) The Commissioner shat, whon making his opinion undor subcocton (5), take rto account any 
relevant previous opinions, i any. 


() The Commissioner may withdrew an opinion made under thie section if the Commissioner is 
Salisoó rhat the naturo of tho activity ongagod by the deta user has changes matorially 


Section 26, Revocation, etc., of code of practice 


(0) The Commissioner may revcke, amend or revise, whether in whole or in part any code of 
practice regisiered under his Act— 


(a) on his owm accord or 
b) upon an application by the deta user orum or such bodies rapresenting the data users. 


(2 Tha Commissioner shat, betore ravokng, amending or revsing a code of pracice under 
Subsocton (1), consul with— 


(a) such data users or bodies representative of deta users o which the code cf practica shal 
apply. whathar m whole or in part; and 


(Oy such other interested persons, 


as the Commissioner thinks fi 


(9) Where any code of practice hos been revoked, amended or revised under subsection (1), the 
Commissioner 


(a) shall anter the particulars of such revocaton, amendment or ravision in the Register of 
Codes of Precise: and 


(b) shall noy tho rlouant data usor forum, class of data users, data usors and the pubic of 
such revocation, amendment or revision in such manner as may bo detormaned by hin. 


4) Tho Commissioner shall make avaiable to the public any codo of practico as amended or 
reviced by him under tis sostion. 


‘Section 27. Submission of new codo of practico by data user forum 
(D A deta user forum may submit a new cede of practice to replace an existing code of practice, 


(2) The new code of practice submited in pursuance of subsection (1) shall be subject to the 
provisionis of his Division. 


Section 28. Register of Codes of Practice 


(0) The Commissioner shall maintain 2 Rogister of Codos of Practice in accordance with secnan 
128. 


(9) The Register of Codes of Practice shall certain 


(a) pariculars of codes of practica registered under section 23 or 24 and any revocation. 


a 


emendment or revision to such codes of practice under section 26; and 


ary opinon mede by the Commissionor under socion 25, including particulars of 
wthdrewal of previous opinions. 


Section 29. Non-compliance with code of practice 


A data user iho also comply with any provision bf rhe eode of practice that is applicable vo the 
data usar commis an offence and shall, on conviction, be labie to a fino not oxcooding ono 
hundred thousand ringgit or te imprisonment lor a term nck exceeding ane yaar or to both. 


Division à - Rights of data subjoct 


Section 30. Right of access to personal data 


(1) An indvidaol is entitled to be informed by a data user whether personal dota of which that 
irdividuol the date subject is being processed by or on behalf of the data user 


(D) A requestor moy, upon payment of a prescribed fo, moke a data access request n wring 10 
the data user 


(a) tor information of the data subject's personal data that is being processed by or on behal 
fino data user; ond 


(to have communicated to him a copy of tho porsonal data in an ineligo form. 


(©) A data access request for any information under subsection (2) shall be eater as a singe 
Teque and a cata access request for Infermton undo paragraph (2a) shall inthe absence or 
aay een toe corr be vested a extending aeo o sud rue! under paragraph 


V) Inte case of a data usar having seperate arses in respec of personal data hal fr diferant 
purposes, a soparato data accoss raquosi shal bo mada for each seperate orty. 


(5) Where a data usar does nat hold the person data, but cerücls the processing of the 
personai data in such a Way as Io prohibit tha dala user who holds tha personal data Yom 
ompying, whether in whole or por, vet the deta access raquoct under sübssclon (2) which 
relates to the personel data, the frimertioned data user shall be deemed fo ho the personal 
dato and the provisions of s Act shall be construed according 


Section 31. Compliance with data access request 


(1) Subject to sunsectcn (2) and section 32. a data user shall comply wiih a data access request 
undor section 30 not Ister than twenty ono days from the date of receipt c tho deta acco 
request. 


(2 A cata user who s unabie to comply wh a data cess request within the period specie’ in 
Subsecton (1) shall before the expiration ol that period— 


(a) by noice in wrting Inform the requestor that he  unabe to comply with the data access 
Téquost irin such period ane the reasons why he is unable to do so; anc 


(©) campy with the data access request to the extent that he is able to do so. 


(9) Notwithstanding subsection (2) the data user shall comoly in whole with the dota access 
request nat later than fourteen days after the expiration of he period stipulated in subsection (1) 


Section 32. Circumstances where data user may refuse to comply with data 
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access request 
(0 A deta user may refuso to comply with data accoss request under socton 30 1— 
(9) the ceta user s nat supplied with such nermsten as he may reasonably reque 
in oder o satisty himself as to the identity ofthe requestor: cr 
fi) where the requestor claims to be a relevant person, in order to satisfy Himseli— 


(A) as to tho idontity of tho data subject in ration to whom the requestor claims to bo ho relovant 
person; and 


(B) that the roquestor s tho relovant parson in rolstion to the data subject; 


(@)the diata user is noi supplied wih such information as he may reasonably requie to locate 
tho personal data to which no data access equas! relates; 


(C) ihe burcen cr expense of providing access Is dsproportonate to the risks 10 the dala 
subject privacy in reat to the personal data in the cas in question; 


(Gh the data user cannot comply wit the data access request witha disclosing personal data 
reiting to anther nivi who car be identifed fen tnat information, Unless — 


(i that other individual has consented to tho disclosure of tn information to the requestor: 


(i) is røasonabia in all tno creumscances to comply with the data access request without 
‘he consent ofthe ather inci 


(e) subject to subsection (3) any other data user controls tho processing of the personal data to 
ach the cata access requast relates in such a way as to prehbt tha fst-mentionad dala usar 
from complying, whether In whole orn part with tho dota accoss request; 

(f proviang access wou consti a vation cf an order or a cour: 

(6) providing access woul disclose confident commercial information; or 

ib) such access to personal data is regulated by another loe, 

{2) in determining for tho purposes of subparagraph (1) (Ji) aeta it is roasonabie in all the 
circurszances to comply with the data aacass request without the consent of the cthor individual, 
regard shall bs had, ia particular, to— 

o) any duty of oonfidartialiy owed to the other nevi 

ib) any steps taken by tho data usor nith a vow to seoking tno consent of ihe other individual: 

() whether he other individual is capable of giving consert: and 

i) any express refusal of consent by the other indvidual. 

(6) Paragraph (1/2) shall rot operate so as to excuse the deta user from complying with the dais 


access request under subsection 3012) te any extent that the data user can comply wth the date 
access request without cortravering the prohibition concemed, 
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Section 33, Notification of refusal to comply with data access request 
Whore a data user who pursuant to soction 22 raluses to comply with a data access roquost 
under section 30, he shell rot Iter than twenty-one ceys from the date of receipt of tno data 
access request by noice in writing, ior the reguestor 


(a) ofthe rousal ond the reasons for the refusal; and 


(b) whore paragraph 32(1|(e)is applicable, c ta name and adcross of tho othor data user 
concerned 


‘Section 34, Right to correct personal data 
Where 


(a) a copy ofthe personal data hes been supplied by the data user in complience withthe dota 
access request Under section 30 and the requestor corsiders that the personal dota is 
inaccurate incomplete, misieecingor not up o dat; or 


(b) the data subject knows that his personal data being held by the data user is inaccurate, 
incomplete, misleading or not uptordae, 


the requestor or data subject, as tho case may be, may maka a deta correction roquost in writing 
tothe date user that he date user makes the necessary correction to the personal date 


(2) Whore a data usar doos not held the personal dala, but controls the procassing of the 
personal data in such a way as to prohibit the data user who holds the personal data from 
omelying, whether in whole ce in port wih the data correction request under stbsecten (I| 
"ich relies to the personal data, the firstmenioned data user shall be deemed 1o be the dala 
user to whom such a request may be made and the provisions of tis Act shall be construed 
according. 


Section 35. Compliance with data correction request 
(0) Subject to subsections (2, (3) and (5| and section 26, whore a data user is satisfied that the. 
personal data to nich e dala correction request relie» is inaccurate, incomplete, msleadrng o 
hot yioxdte, he shall. not later than twenty-one Gays from the cale of receipt of the dala 
oration requesi— 

(o) make the necessary correction to the personal doa 

(©) sup tho roquostor with a copy c tho porsonal data as corrocod; and 


e) subject to subsection (4), where— 


(i the personal daia has been disclosed 10 a iid pary during the twee months 
odio procecing the cay on whieh to corocon is mado: sad 


(i) the data user has no reason t believe that the thid pany has ceased using the 
Personal data for the purpose. including any directly related purpose. for which the personal 
{ate was disclosed tothe trd panty, 


take al pracicable steps to supply the ihid party with a copy of the personal data as so corrected 
accompanied by a rence in writing staring the reasons for hs correction 


{© A cata user who is unable to comply wih a data conection request mithin the period spestied 
Fr subsection (1) shat before ihe expiration af ot period— 


(a) by notice in writing inform the requestor that he is unable to comply with the data correcto. 
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request within such period and the reasons why he is unable to do so; and 
(©) comply with tho data corroctn roquost to the eaten hat ho is abo to do o 


(9) Notwithstanding subsecton (2, the data user shall comply in holo with the data eerrecton 
request nat lator than foureen cays altor the oxpration of ho period stipulated n subsocten (I). 


(2) A eta user is not recuiredi to comply with paragraph (1) ic) in ary case where the disclosure of 
the parsonel data to a third party coasts of the frd partys oun inspection of a regstei— 


(a) in which the personal data is tered or otherwise recorded: and 
(©) bic is avilable for inspection by the publi 

(6) Where a dota user is requested to correct personal date under subsection 34(1) and the 

Personal data is being processed by anther data user that isa better position to respond te the 

date correction eauest— 


(o) the frstmentioned deta user shall immediately transfer the data correction request to such 
ata user, ard notify the requestor c this fact and 


(o) socions 34, 36, 36 and 37 shall apaly as if the roforoncos theron to a data usor wore 
references to such other data user, 


Section 36. Circumstances where data user may refuse to comply with data 
correction request 


(1) A data user may reuse to comply it a data correcton tequest under section 34 1— 

(a) the ceta user is not supplied with such information as he may reasonably requie 
(lin order to satisty himself as to the identity cf the requestor or 

(i) whore the roquostor claims to be a relevant poson, in order to cotefy himsel — 


A) as to tho ideni o the data subject in réaten to whom the requestor claims to be the relevant 
porso; onc 


(8) that the requestar is the relevant parson in eatin o he daia suyecr 


(ihe data user is rot supplied with such information zs he may reasonably require 10 
fscerisin in uhat way the personal data to whieh the cata corertin reques relatas is 
Inaccurate. incomplete, misleading or not up-to-date; 


(the data user is rct satisfied that the personal data to which the data correction request 
relates is Inaccurate, ncompieta, miseading or not up-to-date: 


(the data user 5s not satisfied that the correction which is ihe subject of the data correction 
request is accurate, complete, not misleading or po dato: oc 


(e) subiect to subsection (2), any other deta user controls the processing of the personal date 
to which the cata corecion request relates in such a way a» f profil the frst-mentioned 
data user Fom complying. whether in whoie or In part. viih ihe data correction request 


(2) Paragraph (1) shall not operate so as to excuse the data user from complying with 
Sübsecron 35() in relation to he deta correction request to any extent that the dato usce can 
omy with that subsection wihcurcontavening Pe prohibir concerned. 
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Section 37. Notification of refusal to comply with data correction request. 


(D Where a data user who pursuant 'o section 36 refuses to comply wih a data correction 
request under section 34, he shal not later inan twerry-cne days hom ihe dace of recept ot the. 
date cortocton toqucst, by notce in writing, inform the requestor 


(a) of the refusal and the reasons or the retis: and 


(o) where peragreph 26(1] (eis applicable, cf the name ard address of the other data user 
concerned 


(2) Without prejudice to the generality of subsection (1), where personel deta to which the date 
correction request relates i an expression of opinion and the data user is nc satisfied that the 
expression of opinion is hacurate, incomplete, misleading or not uptodate, the dela user 
shal 


(a) make a note, whether annexed to the personal data or elsewhere 


{i of the matters in respect of which the expression of opinion is considered by ihe 
requester to be inaccurate, rompkete, misleading or ret up-to-date: and 


(i) in such a way that the porsonol dato cannot be used by any person without the note 
being drann to the attention of and being availabe far inspection by that person; and 


(b) attach a copy o! the nate to tho netice referred 1o in subsoction (1) which relates to the date 
correction request. 


(9) In this section, "expression of opinion" includes an assertion cf fact which is unverifiable or in 
al sircumstancos of no caso is not practicable o veri. 


4) A data user who contravenes subsaction (2) commits an olfence and shall, cn conviction, be 
Table lo a frio not excoccing one hundred thousand ringt or to ivprsonmant far a trm not 
exceeding one yeer or to both. 


Section 38. Withdrawal of consent to process personal data 


(D A dana subject may by noice in wring wiheraw his consent to ihe processing of personal 
fata in respect of whin ha is ho cata subjoc!, 


(2) The data user shail. upon receiving the notice under subsection (1), cease the processing of 
the personal data 


(©) The failure of the data subjecto exercise the right conferred by subsection (1) does not affect 
any ther igus conferred on fim by inis Par 


(4) A dota user viro contravenes subsection (2) coris an offence and shell on conviction, be 
Table to a five not exceeding one hundred thousand ringgt orto imprisonment for a erm nat 
exceeding one year orto bath 


Section 39, Extent of disclosure of personal data. 


Nowuthsionding socton 8, personal data of a data subjoct may bo disclosed by a data usor for 
any purpose other than the purpose for which the personal data nas to be ciselosed at the ime of 
is collection or any other purpose drecily related to that purpose, only under the folowing 
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(a) the deta subject has given s consent to the disclosure; 
(b) tho disclosure — 


(i is nocossary fer tho purpose of proventng or dolacting a crime, ar for tho purpose of 
rvestgatons or 


(i) was rceparoc or authorized by or undar any law ar by tno rer of a cour: 


(e) the data user acted in the reasonable belief that he had in law the right 1o disclose the 
personal data to the other parson: 


(a he deta user actor in the reasonable belief tat he wouid have had the consent of the dta 
Subject if the cela subject had known of the disclosing of the personal daia and ihe 
circumstances of such disclosure; oF 
(eh he disclosure was justified as being in the public interest in crcumstances as determined 
bythe minister, 

Section 40. Processing of sensitive personal data 


(D Subject to subsection (2} and section $. a data user shall not process any sensitive personal 
data o'a data subject except in accordance vh the oleum conden: 


(a) the deta subject has given Hs explict consent to the processing of the personal data; 
(6) the processing is ncessay— 


{i for the purposos cf exercising or porfrming any right or obligation which is corforrod or 
posed by lu onthe dota usar in connection wth employment: 


li) in order to protect ho vital interests cf tha data subjeet or another person, in a case 
hero 


4) consent cannot ba givan by or on bohal of tno data subject; or 
(©) the data user cannot reasonably be expected to obtain the consent af the data subject: 


fii) in order to protect the vital interests of another person, in a case where consent by or 
‘on behalf ofthe deta subject has Leen unreasonably wih 


(i for medical purposes andis undertaken by— 
4A) a heelcaro pro'essional; or 


(8) a perscn wha in the circumstances owes a duty of conticentialty when is equivalent to tnat 
Which wouid ere f that parson were a healihearo profession 


(0 forthe purpose of, er in connection with, any egal proceedings: 
(vi for the purpose of obtairing legal advice: 

(si) for tho purgosos of ostabiishing, exercising or defending legal rights 

(vi torto administration o justico; 

(f fore exercise of any rtr conferred on any person by or de any riten luc 
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(0) for any othar purposes as tho Minister thinks fit ar 


(E) the intermation cortaineci in the personal data has been made publ as a rexit o! steps 
Geliberaroltakon by ho dara subject 


(2 The tinisier may by order pubished in tha Gazetie exekide the application af subparagraph 
LONDA, (i) or (8) in such casos 2s may be specified in the order, ot provide that, n Such cases 
as may be specited in tho orcor tho coron in subparagraph () (M). (v) or (i) not to be. 
recorded as salisfed unless such further conditions as may be specified m the order are also 
Satisfied. 


8) A person who contravenes subsection (1) coramits an offonco and shall, on conviction, be 
Table f a fine nox exceecing No hundred thousand ringgit or lo imprisonment fora term not 
exceeding two yours cr to bol. 


(4) For the purposes ofthis section — 


"medical purposes” includes tne purposes of preventive medicine, medical diagnosis, medical 
research, rohabitaion and ho provision of caro and treatment and the management of 
healthcare servicos; 


‘healthcare services! has the meaning assigned to t in the Private Healhcare Faciltes and 
Sorvoos Act 1098 [et 568; 


‘reathcare professional’ means a medical prachtoner, dental practtoner, pharmacist, cincar 
psyehologst, nurse, midwife, medical assistant, physicthorapist, occupational therapist and other 
alied heatthcare professionals and ary other person involved in the giing of medica, health, 
den oromecaitial onc any ater heabeare sees under the rion of the Vina of 


Section 41. Repeated collection of personal data in same circumstances 
(1) Whero a data uso 
(9) has complied with the provisions of the Notice ard Choice Principle under section 7 in 
espe of tho collection of personal data from tao data subjocs rolrrad 10 as the "re 


coleciow: and 


(yon any subsequent occasion again colles personal data from that daa subject. referred 10 
B he “subsequent colecton- 


the daia user is not required to comply with the provisions of the Notice and Choice Principle in 
respect ef The sutisequent colecten t= 


(A) to comply wit those provisions in respect of that subsequent colleciion would be to repeat, in 
the same circumstances, what was dore to comply win that principle n respec! or the fis 
tolecter) and 


(©) not more than telve months have elapsed between the frs collection and the subsequent 
colectin 


(2) For the avoidance of doubt, it is declared that subsection (1) shall not operate to prevert a 
Subsequent calecion from becoming a first collection f the data user concemed hes cormpled 
n té provisions of tha Notice and Choice Prince in respect of te subsequent colection: 
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Section 42. Right to prevent processing likely to cause damage or distress. 
(0) Subject to subsection (2) a data subjoct may, at any time by notico in writing to a data user, 
referred fo as the "cota subject notice”, require the data user at the end of such period os is 
reesorable in the cicumstances, = 

(a) cansa the processing af or procossing fora specified purpose or in a spacified manner; or 


(0) t begin tho processing of or processing fer a spocified purpose or in e specto manner, 


any personai data in respect of which he is the data subjes if, based on reasons fo be stated by 
him 


(A) the processing of hat personal data or the processing of personal data for that purpose or in 
thet manner is causing o Ika 10 caase substara damage or substantia distress fo Fim or o 
another person, anc 
(8) the damage cr distress is or would be unwarranted 
{2) Subsection (1) shall not apply where 

(a) tho ceta subjost has given his consent; 

(b) tha procossing of porsona data is necassary— 


(0 for he performance of a contact to wich the data subject is a pariy: 


(i) for the taking of steps ot the request of the deta subject with a view to entering e 


fii) for compliance with any legal obligation to which the date user is the subject. other than 
an obligation imposed by correct or 


(iv) in order 1o protect the vital interests of the dota subject or 


(clim such other cases as may be prescribed by the Miister by order pubished in 
tho Gazotto. 


(9) The data user shat, within twenty-one days trom the date of recept of the dala sujet notice 
undor subsoction (1), give the data subject a wetten notico— 


(2) sating that he has complied or intends to comply wiih ihe data subject notice; or 


(0) saing his reesens for regarding the deta subject notce as urustfied or to any extent 
justified, and the extent i any. to which he has complied or intends to comply with i! 


(0) Where the date subiect is dissatisfied with the failure cf the data user to comply with the date 
Subject notce, whether in whele or i part under paragraph (909. the data subject may submit 
an applicaton 1 ihe Commissioner to require tv data user to compiy wih the dara subject, 


(©) Where the Commissioner is satisfied ihat the applcaion of the data subject under subsection 
{@ is jsifid or justified to any exem, te Commissioner may requre he data user to take such 
steps Tor complying with the ota subject note, 


{© A data user who fails to comely with the requirement of the Commissioner under subsection 
(6) commits an ctience ane shal, on conviction. be lable toa tne rot exceeding iuo hundred. 
thousand ringgit orto imprisonment Tor a teem not exceeding two years or to both 
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Section 43. Right to prevent processing for purposes of direct marketing 


(D A data subject may, at any time by noce in ting to dara user, require the data user ife 
end of such pared as is reasonabie in tha cieumstances fo caasa nr n to begin processing hs 
porsona data foe purposes of direct marketing. 


© Where the data subject is desatisied with the fere of the data user 10 comply with ie. 
"olco, whether it who or in part, under subsection (1), the data subject may submit an 
applicaten to the Commissioner te require the deta user ta comely withthe notice. 


(Sy Whara the Commissar is satisfioci thet tha application of tho data subject under subsection 
B is jstliod or jt to any edent, tha Commissionar may require he data User to take such. 
pe or capito iit tho ics 

4) A data user who falis to comp with the requremen: of the Commissioner under subsection 
6) commits an ctienco and shall on conviction, ba lable to a fo rot exceeding luo hundred 
thousand ringt or to mprisonmertfar a term not exceeding uo years or 1o bal. 


(©) For tne purposes or tn section, "arect marketing” means tne communication by watever 
meene o! any aducrisr or marketing material nich is dreced to particular induidual 


Section 44. Record to be kept by data user 


(1) A data user shall keep end maintain a record of any application, notice, request or any ether 
Formation rating 10 persona! da'a that has baen ors berg processed by him. 


(2) The Commissioner may determine the manner and form in which the record is to be 
einiined. 


PARTI 


EXEMPTION 


Section 45, Exemption 
(0) There shall be exempted rom the prowsions of ihis Act personal data processed by an 
‘vidual only for he purposes of that indiveuel's personal, family or housenoi affars, eluting 
Fecroational purposes, 
© Subject to section 46, personal data 
(a) processed foi 
(i the proveniion or detection of stime or for the purpose of investigations; 


li) the apprehension or presecttion of olfondecs; or 


(i) tho assøssmant ar colection of any tax cr duty or any other imposition of a similar 


shal be exempted from the General Principle. Natice and Choice Principle. Disclosure 
Prncipe and Access Prope and other related provisions ots Ret 


(0) processed in relation to information of the physical or mental healih of a dale subject shall 
be axeempied from the Access Principle and ethet related provisions ofthis Act of whe ihe 
application or tho provisions to the data subject wouid bo May to cause serious harm to the 
Physical or mental health cl the dats subject er any other neva 


(6) processed for preparing statistics or carrying out rosearch shall be exempted from the 
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General Principle, Notice and Choice Principle, Disclosure Principle end Access Principle and 
her reisted provisions of this Act. provided thet such personal data fs nct processed for any 
‘ther purpose and that the resuting stasics or the resuts of the research are nu made 
valle In a Term tlchidantitos the data subject: 


(that is necessary for the purpose of orin connection with any order or judgement of a court 
Shall be exempted fom the General Principle, Noice and choice Principe. Disclosure 
Principis amd Acess Principi and otnorrolcted provisions of this Ac 

(@) processed for the purpose of discharging regulatory functions shall be exempted from ihe 
Genaral Principe, Netea and Choice Princ. Disclosure Prineple enc Access Principle an 
thor reiatad provisions al this Ac I the application o! those provsions to tha personal dais 
‘would bo lily to prejudice tho propor diechargo ol those functions; or 

(f processes only foc jours, imerary or artiste purposes shall be exemptad tem the 
Gonoral Principle, Notio and Choice Principio; Disclosure Principio, Rotention Principi, Dais 
Integrity Princelo and Accoss Prineiple and other rolatod provisions of ts Act, provided that — 


() te processing is undonakon wih a viow to tho publeaton by any person cf the 
Journalistic, Marary or artiste material; 


(ithe ceta user reasonably believes thet. taking into account the special mporancs of 
Pubie Imeras in raedom cf expression, the publicaton wouid be in he public interest; and 


(i the data user reasonably believes that in all he ceumstances, compliance with the 
provision i respect of which the exemption i cimed = eompalie ih he jours, 
Werary or arise purposes. 

Section 46. Power to make further exemptions. 


(0) The Minister may, upon the recommendation of the Commissioner, by order published in 
the Gazetie exempt 


(o) the application of any of he Personal Data Protection Principles undar this Act to ony date 
User or class of deta users cr 


(b) any data user or class of data users fer sll or any of tho provisions of this Act, 


(2) The Mister may impose any terms cr conditions as he thinks I in respect of any exemption 
rade undor subsoction (1). 


(9) The Minister may at any time, on te recommendation cf the Commissioner, by order 
published in the Gazoto,revcko any ordor mado undar subsection (1) 


PART IV - APPOINTMENT, FUNCTIONS AND POWERS OF COMMISSIONER 
Section 47. Appointment of Commissioner 


(1) The Mirister shall appoint any person as the "Personal Data Protection Commissioner for the 
purposes of carrying out the functons ard powers assigned to the Commissioner under this Act 
n such terms and condiions as he tanks desrabie, 


(2) The appointment ofthe Commissioner shall be publshe inthe Gazete 


{9 Ihe Conmasererapporkad under subsoeion (] shal be a body corporat having perpetual 


0) The Commissioner may sue and be sued m s corporate name: 


n 


Section 48. Functions of Commissioner. 
Tho Commissioner shall havo tho following functions: 


(a)to advise the Minister on the national polty tor personal data protection and all ether 
Foletod matters; 


(to implement and enferc the personal data protection Ians, inclucing the formulation of 
‘operational paiiies and procedures; 


(9 1o romane and encourage associations or bodies resxesenting cata users to prepare codes. 
t practico and to disseminate to tor membars ho codes 9! ractce for ie purposes of his 
p 


(0) to cooperate wèh bocles corporate or government agencies fr the purpose of performing 
Fis funcions; 


(o) to detemine in pursuance o section 128 whether any place ouside Malaysia has in lace 
system fr the projection of arsenal cota that fx substantial similar to that as presided far 
Under ts Act or that serves tho same purposes as Ils Act: 


(010 undertake cr cause to be undertaken research imo and monitor developments in the 
Froceseng of personal cara, Including technology, In order 10 take accourt any effects such 
Bevelopments may have on ‘he privacy of individuals m relaton to tnor persona! cata 


{gto montor and supervise compliance with the provisions of this Act, including he issuance. 
cf circulars, enforcement nctices or any other instruments to any person; 


(h) to promote awareness and dissemination of information to the publie sbout the operation of 
thes Acs 


(to Viso and cooparato ith porsons porforming similar personal data protection functons in 
ny placa outside Malaysia in respect of matiors of mutuel rtorest including matters 
concerning the privacy of indhiduals in relation to their personal data: 


to reprosont Malaysia through participation in event that relate to personal data protection 
5 authorized by the Minister, whether vithin or outside Maloysia; and 


(Go cary out such actas and do such things as ere necessary, advantageous and proper 
for tho administration of this Act, or such other purposes consistont with this Act as may bo 
directed by the Minister. 

Section 49, Powers of Commissioner 


(1) The Commissioner shall have all such poners to do al hings necessary or expedient for or in 
tonneetion wiih the pericrcmanee of his functions uneer ths Act 


(2) Without prejudice to the generality of subsection (1) the powers af the Commissioner shal! 
rude the power 


(ito collect such fees 2s may be prescribed by the Minister; 


(bito appoint such agents, expers, consultants or any other persons as he thinks ft to assist 
Fim in the performance of his functions; 


(e) to formulate human rescurco development and cooperation programmes for the proper ané 
efective performance of his functions; 


a 


(to erter into contracts: 


{oto acquiro, purchase, take, hold and onjoy any movable or immovabio property of ovary 
‘escripton for the performance of his functions, and to convey. assign, surrender, yield up 
Charge, mortgage: demise, venser cr otherwise dispose of, or deal with such propery or any 
interes herein vesed in rim. 


(Dto perform such other functions as the Minister may assign from time to time; ard 


(ito o all such things as may be incidental to or consequential upon the performance of his 
fencions 


Section 50. Appointment of Deputy Commissioners and Assistant 
Commissioners 


(0) The Commissions: may, with the approval of the Minister, from tine to me, appoint such 
number of public offers as Deputy Commissioners and such number of persons as Assistant 
Commissioners as ate necessary to assist the Commissioner in 1e porformance af hs functions 
and the exercice of s powers under this Act 


(2) The Deputy Commissioners and Assistant Commissioners appointed under subsection (1) 
shal noid offic for such periods, receive such remuneration, alowanzes or benefits, and sal be 
Subject to such terms and condtions o! sarvia as the Commissioner, viih tha approval ar the 
Minster, may cetormno. 


(9) The Deputy Commissioners and Assistant Commissioners appoirted under stbsecten (1) 
‘hal bo supe to the supervision, droctian ard conta the Commissioner 


Section 51. Appointment of other officers and servants. 


The Commissioner may employ on such terms and conditions es he thinks desirable such officers 
and servarts as may be necessary to assist him in the performance of his functions and the 
exercise of Hs pomers under this Act 


Section 52. Loans and advances to officers and servants 


Tho Commissioner may gran loans and advances to tho officers and sorvarts unr section 51 
der such purposes and on such terms and conditions os he Commissioner may determine, 


‘Section 53. Tenure of office 
Suet to such condtions as may be spectied in his sumen of appointment, ihe 
Commissioner shall Unless he sooner rosie or vacates his aice or ms appointment s sooner 
Tevcvec, hod aice for a term not exceeding three years and may be algtle Tor reappointment 
‘Section 54. Revocation of appointment and resignation 


(1) The Mister may at any lime revoke the appoirmert ofthe Commissioner end shall state the 
reason lor such revocatan. 


2) The Commissioner may at any tims resin his office by Giving a writen notice addressed to 
the Minister fourteen days prior to the intended date of resignation 


Section 55. Temporary exercise of functions and powers of Commissioner 


(1) The Ministr may temporarily appoint a Deputy Commissioner to portom the functions and 
powers cf the Commissioner oris period when — 


as 


(olthe Commissioner is by reason of less, leave of absence or any other cause unable to 
perform His functions for any substantial period: or 


(0) the cice of the Commissioner is vacant, 
(2) A porson appointed under subsoeton (1) shall; during tho poriod in which ho is performing the 
fnere and crering the powers ot the Cormesenet under hs section, bo domed to he 
Section 56, Vacation of office 
The office ofthe Commissioner shall be vacated— 
(athe dos: 
(thoro has noon proved against him, or he has baen convict of, a charge in respect oi— 
(i an offence involving fraud, dishonesty or moral turpe: 
(i an offence under any la relating to comuption, or 


li) any other offence purishable with imprisonment (n isaf only or n addition to or in eu 
of a fine) for more than to years 


(ch his conduct, whether in connection with his duties as a Commissioner or otharwise, has 
been such as o bring discredi on the office of he Commissioner: 


(athe bocoros bankrupt: 
(it he is of unsound mind or is otherwise incapable of discharging his duties: 
(03 his appointment is revoked bythe Minister; or 


(a) it his resignation is accepted by the Minister, 


Section 57. Remuneration and allowances 


The Commissioner shall be paid such remuneration and alowonces es the Minster may 
determine afer consultation wilh the Mister ol Finance 


Section 58. Delegation of Commissioner's functions and powers 


(0) The Commissioner may, subject to such conditore, limtatons or resrictors as he may think 
"to impose, celegate any of hs functons or powers imposed or conferred upon him uncer this 
Ac oxcopt his poner of dolagation, to the Deputy Commissioners or Assistant Commissioners, 
and any function or poner so delegated mey oe performed and exercised by the officer in ihe 
name and on behalf ofthe Commissione 


(2) The delegation under subsection (1) shall not preclude the Cemmiesioner himself Irom 
performing or exercising ot any time the delegated functions or powers 


jister 


Section 59. Direction by Mir 
(0) The Commissioner shall bs respensibi to the Minister. 
2) The Minister may give to the Commissioner directions of a general character consisten! vith 
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the provisions of this Act relating to the performance of the functions and powers of the 
(Commissions and the Commissions shal give effect to such directions, 

Section 60, Returns, reports, accounts and information 

(The Commissioner shal furnish to the Minister and any such public authority as may be 
ected by the Mister, the returns, reports, accoums and Information with respect (5 his. 
activities ae the Minster may requie or direct 

(2) Wihout prejudice to the generalty of subsection (1), the Commissione shall, as soon as 
practicatie afier tne end of each frarcial year, cause to be made and transmite to the Minister 
Aint I so greeted by tne Minister to any other pubie authority. 3 report caalr wh the actives 
f he Commissionar during the procoding trail year, enc te report shall bo in such form and 


hal contain such information relating to tho proceedings and polices of the Commissioner as the 
Minister moy spect, 


PART V - PERSONAL DATA PROTECTION FUND 


Section 61. Establishment of Fund. 


(0 For the purpeses of this Act, a fund o be known as the “Personal Data Protection Fund" is 
established 


{@) The Fund shall be controlled, maintained and operated by the Commissioner, 
(9) The Funé shall consist of 
{a} such sums as may be provided by Parliament Tor the purposes cf this Act rom time to time: 


(fees, costs and any cther charges imposed by or payable to the Commissioner under tis 
Bet 


(e) all monies derived from the sale, disposal. leasa, hire or any other dealings with the 
movable o immovable properly vested in or aczpired by the Commissioner 


(al maries as may be paid to the Commissicner from tine to time for loans gven by the 
Commissioner, ard 


(o) all other monies or property which may in any manner become payable to or vested inthe 
Commissioner in respect of any matter incidental to his functions and powers. 


Section 62. Expenditure to be charged on Fund 
The Fond may be expended for the folowing purposes: 


(o) paying ary expenditure iuf insured by the Commissioner; 


x 


(©) paying any expenses incurred for orgorizing campaigns, research, studies and pubication 
of materials for the protection of personal data; 


(€) paying the remuneration, allowances, benefts and other expenses of the Commissioner, 
Deputy Commissioners, Assistant Commissioners, members of the Advsory Cermis 
members, offces and servants of the Appeal Tribunal and officers ard servants cf the 
Commissioner, nciudeig the qrerting of icans and advances, superannuation allowances, 
Foviremart borchis and grattis; 


(0 paying ary other expenses, expendiute fees and coss including fees for the engegemenc 
of consulens ard legal fees and rests rope Incurred or acceptad, cr deemed fE by the 
Commissioner nthe portormanee of vs functors and the exerce or s poner; 

(eh purchasing or hiring ecuipment and materials, acquiring land and any assets. and carrying 
fut any other worcs and underakings In the performance bt his functions and the exerci oi 
his powers; and 


(O generally. paying ary expenses for carrying into efect he provisions of this Ac 


Section 63. Conservation of Fund 
Install be the duty of the Commissioner to conserve the Fund by so performing his functions and 
‘exercising his pouars uncer ts Act as to secure That the total revenuas of he Commissioner are 
Suffisont to moct al sums propery chargooblo to is revenue account, cluding deprecation and 
iercst on captal tane ono year wth aretha. 


Section 64. Reserve fund. 


The Commissioner shall establish and moincin a reserve fund within the Fur 


Section 65. Financial year 


The financial year of the Commissioner shall begin on 1 January and and on 31 December of 
each yeer. 


‘Section 66. Limitation on contracts 
The Commissioner shall rot, without the approval of the Minister and the concurrence of the 


Minister of Finance, enter nie any contact under which the Commissioner isto pay or receive an 
amount exceeding no milion ringt. 


Section 67, Bank accounts 


Tho Commissioner shall open and maintain an account or accounts wth such franca instituton 
or financiel institutions in Malaysia as the Commissioner, ater consuling wit the Ministe, thinks 
fit ond every such account shall be operated upon as far as practicable by cheques signed by 
such persons cs mey be authorized bythe Minister, 


Section 68. Accounts and audit 
The Commissioner shall cause proper accounts to ba kept and maintained in respect o! the Fund 


and in compliance with tho provisions of tho Statutory Bodies (Accounts and Annual Reports) Act 
1980 [Act 240] 


E 


Section 69. Expenditure and preparation of estimates. 


(1) The oxpenditu cf tho Commissionor up to such amount as may bo authorized by the Ministor 
fer any one year shal be defrayed cut of the Fund. 


{2) Boloro 1 Juro of cach yoar, tno Commissionor shall submit 10 tho Miritor an ostimato o the 
expenditure for the footing Year in such form and containing such porticors as the Minster 
may drect 


(3) Tho Minister shall, bafore 1 January of tho following yoar, noi tho Commissionor of the 
amount authorized fer expenditure generally or of the amounts authorized for each desertion oF 
"expenditure based on the estimate prepared under subsection (2) 


IV Tho Commissioner may at any time submit o b Minister a supplomoniryesimate oF its expenditure 
dee any one yene andthe Minister may allow the whole or my part of the additional expendi o be 
cis in o Supplementary exin 


PART VI- PERSONAL DATA PROTECTION ADVISORY COMMITTEE 
Section 70. Establishment of Advisory Committee. 


There is ostablehec a Personal Data Protection Advisory Commitee. 


Section 71. Functions of Advisory Committee 


(0) The functions the Advisory Commitee shall ba— 


(a) 1o acvise the Commissioner on all matters relating to personal dita protector, and the due 
‘xminisiraion and enforcement of ihis Act and 


(6) to achise the Commissioner on ory matier referred byhim othe Advisory Commitee. 
{@) The Commissioner shall not be bound to sct upon the ice of the Advisory Commitee 
Section 72. Members of Advisory Committee 
The Advisory Committee shall consist ofthe folowing members to be appointed by the Minister: 
(o)a Chairman: 
{6} three mombor from tho pub soeter: and 
{O atleast seven ot not more than elevon othar members 
Section 73. Tenure of office 
member appointed under seston 72 shail, uless ho sooner resigns or vacates his lfee or his 
apporumen 5 sooner revoked, lo office fr such period rot exceeding tree years as ihe 


Minister may devernine at he ime of hs appoinment, and shal be eigble fo eappolrmert. bur 
mo member shat halt ffc or mere tam tno consecte temm. 


Section 74. Revocation of appointment and resignation 


(0) The Minister may at any tine revoke the apaciniment of any member of the Advisory 


2 


Commitee end shall state the reason for such revocation 


(9) Amombor of the Advisory Commitoo appcinted undor socton 72 may at any time rosign from 
his offica by giving a writen notice addressed to the Mirister fourteen days prior 1o the intended 
date of resignation. 


Section 75. Temporary exercise of functions of Chairman 


(0) Tho Minister may temporarty appoint any membr of tno Acusery Committoo to act as the 
Chairman for the pericd when 


{a)na Charman is by reason of linces, isave of absence or any ethor eause unable to 
perform Hs lunctons for any substantial period: or 


(b) he fice of the Chairman is vacan. 


(2) A member appointed under subsection (1) shall, during the period in which he is performing 
the functors ofthe Chaman under this section, be deemed to be the Chalman, 


Section 76. Vacation of office 
Tho ofico of a member of tho Advisory Commitco shall be vacatodi— 
(9j he aes: 
(D) ifthere hes been proved against him, or he has been convicted of, charge in respect of— 
(ian offence involving fraud, dishonesty or morclturitude: 
li) an offence undor any la rotating to corruption; or 


LW) any otter offence punishable wt imprisonment (n iseit only or n ation to or in teu 
fa fine) tor moro than two years 


(E his conduet, whether in connection wih his dutes as a member of te Advisory 
Commitee or xhosa. has boon such as to bring discredit on ihe AcMisory Commitee 


(athe becomes bankrup; 
(elit hei of unsound mind or is otherwise incapable of discharging his dutes; 


(Min the case of the Charman, if he absents himsst from a meeting of the Advisory 
Committee without leave in ving of the Minster 


(9) in the cose of a mamber of the Advisory Cemmitea other than the Chairman, f he absants 
Himeelt from three concoculive moating ofthe Advisory Committee without cava alin o 
the Chairman: 

(if his appointment is rovokod by ho Minitar or 


(it fe resignation is accepted bythe Ministar 


Section 77. Allowances 


The Charman and at other members of the Advisory Commitee may be pad such alowancos ae 
the Ministar may dorcrmino ater consultation wth Ino Minister cl Finance. 
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Section 78. Time and place of meetings 
(0), Tho Adiisory Committoo is to hold as many mootngs as aro nocossary foc tho efficiant 
performance of its functions and such meetings are to be peld at such places erd times as the 
Chairman may decide, provided that ths Chairman shell not alow more tan ve months o lapse 
between meetings 


{© The Chairman shall call for a meeting if requested to do so in riting by the Minister or by at 
Feast four members of the Advisory Commitee 


Section 79. Advisory Committee may invite others to attend meetings 


(1) The Advisory Commitee may inute any person to attand any meeting or deliberation at the 
‘dveory Commttec ferto purpose of assisting t on any mattor uncer discussion. 


(2 A person inated under subsection (1) shall be pad such alowances as may be determined by 
the Commissione 


Section 80. Minutes. 


(1) The Advisory Commitee shall cause minutes ofall ts mestings to be maintained and keptin o 
proper form. 


2) Minutes made cf moctias of the Advisory Committee shal, if duly signed, be admissible in 
evidence in all legal proceedings without further proc, 


9) Every mecting of the Advisory Committee in raspas: of the procoodings of which minutos have 
been so made shall be deemed to have been duly convened and held and al members thereat to 
have been duly quaified to act 

Section 81. Procedure 

Tho Advisory Commitee may regulate s cun procedure. 

‘Section 82. Members to devote time to business of Advisory Committee 


The members f the Advisory Committe: shal devete such time to the business of the Advisory 
Commitee cs is necessary to discharge their dutes effectively. 


PART Vi APPEAL TRIBUNAL 


Section 83. Establishment of Appeal Tribunal 


There is esiablished an Appeal Tibunal for the purpose of reviewing any of the matters on appeal 
a5 St OUt in section 93. 


‘Section 84, Powers of Appeal Tribunal 
(D The Appeal Tiibunal shall have the poner— 


{oto summon partes to the proceedings or any other person to attend before È to give 
‘evidence in respect of an appeal 


(bito procure ond receive evidence on oath or affirmation. whether witen or oral, ond 
‘examine al such persons as winesses as the Appeal Tribunal considers necessary, 


a 


(Gd here a person is so summoned, to require the production of ary information, document or 
her ting in his possession cr under his cental which the Appeal Tribunal considers 
Petessoryfor the purposes ofthe appear. 

(Gto ccrsirisor any oath, zfimatin or statutory declaration, as the case may require; 


fe) where a person is so summoned, to sllav the payment for any reasonable expenses 
incurred in connection with his attendance, 


{to admit cudonco of reject ovidence adetuend, whather oral or documentary, and nhether 
femissible or inadmissible under the provisions of any writen lw reiting 1o the edmiscibliy 
df evidence: 


{a)to adjourn tho hearing ol an appoi from time to tmo, including tho poner to adjourn to 
consider ts decision: and 


(h) generally to diroct and de all such mattoe as may be nocossary or expediert for tho 
‘expeditious decision of the appeal. 


2) The Appeal Tribunal shall have the powers cf a subordinate court wih regard to ihe 
onfercomont of attondanco of witnossos, hearing evidence on cath or affirmation and punishmont 
for contempt, 


Section 85. Members of Appeal Tribunal 


(0) The Appeal Tibunal shall consist of the folowing members who shal! be appeinied by the 
Minister 


(a) a Chairman: and 


(b) at leas! tmo other members, or such greater number of members as the Mirister thinks 
recessary. 


{2) The Mister shell appoint a person who is a member of the Jucicial and Legal Serviss of the 
Federation for al lest ten years to be the Charman of the Appeal Tribunal. 


(9) The appointment of the members of the Acpccl Tribunal shall be published by nection in 
the Gazeti. 
Section 86. Secretary to Appeal Tribunal and other officers, etc. 


(1) The Nirister shell appoint a Secretary to the Aapee Tribunal on such terms and conditions as 
he thnks desirable. 


(9) The Secretary to the Appeal Tribunal shall be responsible for the administration and 
rangement of the functions cf the Appeal Tribunal 


{@) Tho Minister may appoint such number of fiers and servants as tho Minister thinks fit 10 
assist the Secratary to the Appa Tribunal in carrying out his functions under subsection (2), 


I) The Socrtary to the Appeal Tribunal shall have the general contral of the officers and servants of the 


Apsal Tribunal. 


(8) For te purposes ofthis Act, the Secretary t te Appeal Tritunal and ihe officers appointed under 
subsection (3) sll be deemed to be officers of the Appeal [rum 


n 


Section 87. Tenure of office. 


A mrombor of the Appoal Tribunal appcintod undor subsection 85(1) shall unloss ho sooner 
resigns cr vacates Hs office or his appointment is sooner revoked— 


(a) hold ofico for a torm not oxcooding throo yoars and 


(©) Sha be elgibie for reappointment upon the expiry of his term of ofice, BLE shali not be 
appointed for mro than two consecutivo torme. 


Section 88. Resignation and revocation of appointment 


(IY The Mirister may at any time revoke the appointmert cf a member of the Appeal Tribunal and 
shal siate te reasen fr such revocation 


{2) A member of the Appeal Tribunal appointed under subsection 95/1) may at any time resign 
from his offce by giving a writen notice addressed to the Minister fourteen days pror to the 
tended date of resignation. 


Section 89. Temporary exercise of functions of Chairman 


(D) The Miristoe may temporary appoint any member of the Appeal Tribunal to act as the 
Chairman for tho poriod when — 


{athe Charman is by reason of iness, leave cf absence or any other cause unable 10 
Perio his functons far any substantial parioa: or 


(0) he fice ofthe Chairman is vacan 


Ø A member appointed under subsection (1) shall, during the period in which he is performing 
the furctions of ihe Chatman under this sesion, be deemed to be the Chairman. 


Section 90. Vacation of office 
Tho ofiso af a member of tho Appeal rural shall be vacated— 
faite aes; 
itera as been proved against him. ar he has been convicted of, a charge in respect or 
(ion ofence involving fraud, dishonesty or morel turpitude; 
li) an offence undar any law relating to corruption; or 


(any oher offønco punishable with imprisonment (naif only ar in ation to or In leu 
af afine) fer more than two years; 


(€) f his conduet, aether in cenrecticn wit his duios es a member of iho Appeal Tribunal or 
Giherwiso, has beon such as to bring ciscredit on the Appeal Tribuna; 


(ihe becomes bankrup: 
fa) it he is of unsound mind or otherwise incapable of discharging his duties: 
(if heil to comply nih his obligations under section 92; 


(ghi hs performance as a member ef the Appeal Irburzl as bean unsaliteciory Tor = 


a 


signřicant period of ime; 
(Pit his appoirtmontis rovokod by tho Vico or 
(e resignation is accepted by the Ministar 
Section 91. Allowances 


(0) The Chairman of the Appeal Tribunal appointed under paragraph 85(1)(a) shall be paid such 
fired allonences and other ellawances asthe Minister moy determine, 


(2) The cther members ofthe Appeal Tribunal appointed under paragraph 85(1) shall be paid— 
(2) daily siting alowancos during tho sting ot the Appeal Tribunal; and 
M) lodging waveling and subsistence ailonances, 
a the Minister may determine. 
Section 92. Disclosure of interest 
(1) A mambar of the Appeal Tribunal shall disciose, as soon as practicable, to the Chairman any 
Fierest, whethor substantial or not, which might confit with the mombers ditios as a mombor of 
the Appeal Tribunalin o partcular matter, 


{@) V tho Chairman is of the opinion that tho member's interest is in contfict with his duties as a 
rember c he Appeal Tribunal, the Chairman shall inform al the parties to the matter of the 
confie: 


(9) If nona o the partos to the mattor objects to tho conic, tho mambar may corto to oxecute 
his dutos as a member ef tha Aopoal Tribunal in rotation to that matter. 


4) I a pary to tha mater cejeets tothe contict, tno mambar ot the Appeal Tribunal shall not 
continue to executo his cues as © membr cf tho Appeal Tribunal n relation to Ue mattor. 


(6) Tho fature by tno mombor to discose Ns irtorost undor subsection (1) shall. 


(o) invalidate the decision of the Appeal Tribunal, unless all partes agree to be bound by the 
decision: ard 


(0) subiect te member io the revocation of his appoinment under section 88. 


Section 93. Appeal to Appeal Tribunal 


(1) Any person nto is aggrieved by the decision of the Commissioner under his Act resting to 
matters, reludrg— 


(8) tho ragstration of a data usor undar Division 2 of Part Il; 
C) the refusa of the Commissioner to register a code of practice under subsection 230) 


(e) the failure of the dota user to comply wth a data access request or dota correction request 
under Division 4 of Pert Ik 


(8) the issuance of an enforcement notice under section 108; 


(e) he refusal of the Commissioner to vary cr revcke am enforcement notice under section 
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109; ond 


(the refusal of the Commissionor to carry out or continuo an investigation intiatod by a 
compleint under Por Vil 


may appoalte the Appeal Tribunal by fling a notico ef appeal with the Appoal Trbxnat 


{2 The notico of appeal nal be mada in uniting to tho Appeal Trial within tiny cays fom tho 
date of the decision of the Commissioner, or in the case of an onlcrcoment notice, itin tarty 
days aher the rvorcoment notico is servad upon the rolovant data user, and tho appellant shal 
Serve a cepy of Ihe notice of appeal upon the Commissioner. 


9) Tho notice of appoal shall stato billy the substance of the decision of tho Commissionor 
agairt when an cppeal is fled wth tha Appeal Triburcl, contain an accross ot which any notice 
or document connected withthe appeal mey be served upon the appellant or his advocate, and 
‘hal be signed by the appellart cr his advocate 


‘Section 94. Record of decision of Commissioner 


(1) The aggrieved person referred to in subsection 93/7) may, on his onn initiative, request in 
wrting Fom the Commissioner a statement of he grounds fr his decision. 


(2) Subject to subsection (3), the Commissioner shall upon receiving the writen request under 
Subsecton (1), provide to tie aggrieved person, upon ihe payment of a prescribed fee, a copy of 
a statement ofthe grounds for his decision. 


(9) Where a ratice of appeal has been fled with the Aopeo! Tribunal under subsection 9301), the 
Commissioner shall il he has nol already writen the grounds for his decion in respect of the 
"ette sited in the notice uncer subsection 93(),recerd in uring the grounds for his decsion 
And tno writan grouns shal fom part af the racord of proceedings bolara tha Appeal Tribunal. 


Section 95. Stay of decision pending appeal 


(1) A decision of the Commissioner shall be valid: binding and enferceobie poncing tho decision 
of an appeal by the Appeal Tribunal, except abere an appeal against en enforcement noice has 
been mate to Ihe Appeal Tibunal in accordance with subsection 9312), or a stay of the decision 
of the Commissioner has been applied for uncer subsetton (2) and gramec by the Appeal 
‘ena 


(2) An aggrieved person may apply in writing to the Appeal Tribunal for stay of the decisien of 
the Commissioner on orate the notice of appeal has been fed wiih he Appeal Tribunal 


Section 96. Composition of Appeal Tribunal 


(0) Every proceeding of the Appeal Tribunal shall bo hoard and depeced o! by throe mambers or 
such creoter uneven number cf members of the Appeal Tribunal as the Chairman may in any 
particular case determine, 


{@) Inthe absence ofthe Chatman, the senior member of he Appeal Tribunal shall preside. 


Section 97. Sitting of Appeal Tribunal 
(I) The Appel Tribunal shall ston such dates and at such places as tho Chairman may appoint 


(2) Tho Charman may canco or postpone any sitting ofthe Appeal Tribunal or change the piace 
ofthe sting which has beon apported under subsecton (1) 


as 


© The Secretary to the Anpeel Tribunal shal by writen notice inform the paries to the appeal of 
any change othe date or place cf any siting of the Appeal Tribuna. 


‘Section 98, Procedure of Appeal Tribunal 


The Appeal Tribunal may regulate its own procedure: 


‘Section 99, Decision of Appeal Tribunal 


(1) The decision of he Appeal Tibunal on any matter shall be decided on a majority of members 
ofthe Appeal Tribunal 


(2) A decision of the Appeal Tribunal shell be final erc binding on the parties to the appeal 


Section 100. Enforcement of decision of Appeal Tribunal 
A decision given by the Appeal Tribunal may, by leave ofthe Sessions Court, be enforced in the 


Same manner as 2 udgmert or order 1o the same eflec, and where leave I so given, judgment 
may be ertered in terms of the decisien. 


PART VII - INSPECTION, COMPLAINT AND INVESTIGATION 
Section 101. Inspection of personal data system 
CD The Commissioner may carry out an inspection ai 
(al any personal data system used by data users for the purpose of ascertaining information to 
‘ssi the Cornissbrer in making recommendations Yo he rekvar deta user reling o the 


promotan of compliance with the previsions cf this Act, in partcular tne Persona Daia 
Protection Principis, by the relevant data user, or 


Many personal data system used by data users belonging to a class of data users for the 
purpose of ascertaining information ta asset te Commissioner in making reccmmenestens 10. 
The class of data users to which te relevant cata user belongs relating to ta promation or 
compliance with the provisions of the Act, in penicuce tno Personal Dato Protection Principles, 
by the cess of dala users to hich the relevant data user belongs: 


() For tho purposes ofthis sector — 
“sata user inches a data processor 


‘personal data system" means any system. whether automated or otherwise. which is used 
whether in whole or part. by a data user Tor he processing of personal daa, and inches ihe 
recerd maintained uncer section 41 and any document and equpmen forming part of he system. 


Section 102. Relevant data user, etc., to be informed of result of inspection 
Where he Commissioner nas completed an inspection of a personal data system, he shall in 


such mannar and at such tmo as ho thinks fE inform the relevant Geta user or class of data usors 
te weich the relevant deta user belongs of — 
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(a) the resuts of the inspection: 
(o) any racommandations arising from te inspection that to Comrissionor thinks fit to make 
Feleting to the promotion cf compliance wih the provisions of this Act in particular the 
Personal Dala Protection Principles, by tie relevant deta user or the class of data users lo 
which the relevant data user belongs: and 


(6) such other comments arising from the inspection as he thinks fit. 


Section 103. Reports by Commissioner 


(0) The Commissioner may, eter completing the inspection of any personal data system used by 
data users belonging toa class ol daa users, publish a report 


(a) sating cut ony recommendations arising from the inspection thatthe Commissioner thinks 
ft to make relating to the promction of complance with the provisions af this Ac, in particular 
the Personal Data Protection Principles, by the cess of deta users to which the relevant daia 
Users belong and 

b) in such manner as he thinks fit. 


(2) A report publishod undor subsection (1) shall be so framed as to provant tho dont of any 
dividual Trom being ascertained. 


Section 104. Complaint 


Any indhidual or relevant person may make a complaint in writing to the Commissioner about an 
act practice or request 


(o) specified in the complaint 


(o)that Fas baan done or engaged in, or is being dene cr engaged in, by the cata usor 
specified in the eompioint, 


(c) that relates to personal data of which the individual is tho data subjoct and 


(hat may be a conravension of he provisions ofthis Act, including any codes of practice. 


Section 105. Investigation by Commissioner 


0) Where the Commissioner receives a complaint under section 104. the Commissioner shall 
Subject to section 105, carry out an investigation in relaion to the relevant cata user n ascertain 
Whether the act, practica or request specifad in to complaint contravenes the provisions of hs 
p 


(2) Where the Commissioner has reasonnsie grounds to balle that an act, practice or request 
as been done cr engaged n, or is being done or engaged m, by the relbvart data user tha! 
relates to porsonal data and such act, practico or request may be a contravention df the 
provisions of his Act the Commissioner may carry out an Fwestigation ih relation to the relevant 
dale user to escercin whether Ine ac pri of request contravenes the previsions of hi Act 


(8) The pioviskns of Port DX shall apply in respect of invesiaons carted oui by ihe 
Cómmiseloner ancor this Part 


Ed 


Section 108. Restriction on investigation initiated by complaint 


(1) The Commissioner may refuso to carry out or continuo an invostigation inttiatod by a compiaint 
F he is of the oprion that, having regard o all he crcumstances of the cose— 


(athe compsin, or a complaint of a substantially simiar natur; has peovicusly initiated an. 
investigation ac a rosltof wich the Commissioner was of the opinion that there has been no. 
cortravention of the provisions of this Act 


(b) the act, practice or request specified in the complaint is trivial; 
(6) tho complain is frivolous, vexatious oris not mado in good faith; or 
(ary ewesigaion or further vestigation s for ary other reason unnecessary 


2) Notwithstending the generality of the pomers conferred on the Commissioner by this Act, the 
Commissioner may refuse ta carry out or conie an investigation inated’ by a complart— 


(anit 
(0 the complainant: ce 


(i) inthe case where the complainant's a relevant person in restien 10 a data subject, he 
diia cit or relovant porsan, asthe casa may bo, 


has had actual Knowedge af the act, practice or request seca in the complaint for more 
than to years immedataly preceding the dato on when the Commissioner received the 
complaint uniess the Commissioner's saisied tna in all he crcumstancos of the caso it 
propor to carry out or continuo tho investigation; 


(jit ihe complaints made anonymous: 
(od ifthe complainant cannot be dented or raced 


(Gif the Commissioner is satisfied that the relevant deta user has not been a data user fcr a 
period of no ess than two years immediately preceding the date on nbich the Commissioner 
Fecotved he complaint or 


(e) in any ater circumstances as he thinks f. 


9) Where the Commissioner refuses under this section to carry out or continue an investigation 
Fitted by o complaint, he shal, as soon as practicable bul in any case ret aer than thirty days 
ater the date of receipt of the complaint, by notice in wt served on the comolainan inform the 
complainant of the refusal and of the reasons for the refusal 


4) An appeal may be made to the Appeal Tribunal against any refusal spectied in the notice 
under subsection (3) by the complainant on whom the notice was served cr ihe complainant isa 
relevant person by the deta subject in respect of whom the complainant is the relevant person. 


Section 107. Commissioner may carry out or continue invostigation 
initiated by complaint notwithstanding withdrawal of complaint 


Where the Commissioner is of the opinion thatit is in the publ interest so to do, he may carry out 
or continue an investigation intiated by o complaint notwithstanding that the complainant hes 
wihdrann the complaint ond, in any such case. the provisions of this Act shall aopy to the 
comptait and the complainant as I the complai had not been vit 


a 


Section 108. Enforcement notice 


(1) Wher, folowing tho completion of an investigation about an act; practico or roquost soos 
inthe complaint, he Commissioner is cf the cpincn that the relevant dato user— 


(alis contravening a provision ol this Act; or 


(has contravened such a provision 
Gortraventon il contine or bo repeated 


ciumstances wer make it kely thar de 


then the Commissioner may serve on the relevant data user an enforcement nodos 
(stating that he is ofthat opinion; 


(©) specifying the provision of this Act an which he has based that opinion and the reasons why 
he is ofthat opinion; 


(C) drocing tha rclovan data user to ako such stops as aro spociiod in tho enforcement notice 
te remedy te contravonion cr, as the case may be, the matters occazionng it wthin such pened 
asis spect in the enforcement notice, and 


(0) diracting, whore necessary, tho relvant cata user to coaso procossing tho personal dala 
pending he temecy of the contravention by he relevant cata User 


(2) In deciding whether ta serve an enforcement notice, the Commissioner shal consider whether 
the coniravertion or the matter o which the enforcement notice relates has caused or is Iia 10 
cause damage or distress to the data subject of he personal data o which the contravention or 
taller relates. 


{@) Tho steps as specified in the enfercoment noice to remedy the contravention er matier to 
Wich the enforcement notice relates may be fremed— 


(ato any exert by reference to any approved coda of practica: or 


(sn as to afford tho tclovam: data user a choice borwaen dioron: ways cf remedying the 
coriraventen oF matter, 


4) The period spesfed in the enforcemert notice under subsection (1) for tang the steps 
Specia n t shal not expre betore the and of the period specilad in subsection (2 win 
wich an appeal against tho orforcomort nota may bo mado and, f such an appoal i mado 
these steps need rot bo taken pending tho determination or wèhdrawal ofthe appoa. 


(6) Notwithstanding subsection (4) if he Commissioner is of tho opinion that byreason af spocial 
reumczances tha stops spectied inthe enforcement notico shou be taken as a metier of 
p 

(a)he may include a statement to that elect in the enforcement notice together withthe 


rasons why he is of that opinion; and 


(0) where such a statement s so included, subsection (4) shal rot apply but the enforcement 
patce shal nol toque oso steps to be takon bolara tho ond ol the porod of seven days 
from the date on which the enforcement notice vie served. 


{© An appeal may be mada to the Appeal Tribunal against an enfercement notice by the 
dato usor n accordance with socton $3 


(7) whera th Commissione 
(a) forms an opinion referred to in subsection (1) in respect of he relevant data user at any 


» 


time before the completion of an investigation and 


is also of tho opinion that, by reason of spocial crcumstancs, an orforcomont notice 
should be served on te relevant data user as a matter of urgency, 


ho may so sarve tho enforcement notico notwithstanding that the invostigation has not been 
completed and, in any such case— 


(A the Commissioner shall, without prejudice to cry cher matiers to bo included in the 
forment notico, spo in tho orforcoment note the reasons as to why ais of tho opinon 
refered o in paragraph [b ond 

(6) the othar provisions of tris Act, including ts section shall be construod accordingly: 

46) A person so fats t comply wath an erfocemve notice commis an offence and shall on 
Eanveton, o kabla to a fne nor acenda wo hund thousand ringgit ar 1o mọrisorvnont lor a 
term not axcooding hio years or to boih, 

Section 109. Variation or cancellation of enforcement notice 

The Commissioner may, on his amm initiative or on the application of a relevant daia uae, vary or 
cancel he enforcement noce serve under subsection 10801) by noice im wing to he tele 


date user f ine Commissioner & satstied with the acton taken by ie relevant data User 10 
remedy tho contravention. 


PART IX- ENFORCEMENT 
Section 110. Authorized officers. 


The Commissioner may In wrting authorize any offcer appointed under sections 50 and 51 or any 
pubic aficer to exercise tho powers ot ontercement under his Act 


Section 111. Authority card 


(1) The Commissioner shall issue to each authorized offcer an authority cord which shall be signed 
by the Commissioner. 


(2) Whenever the authorized officer exercises any of the powers of enforcement under this Ac, he 
shal produce on demand to the person against whom the poner is being exercised the authorty card 
issued to him under subsection (9, 

Section 112. Power of investigation 

(1) An authorized officer may investigate ha commission of any offence under ths Act 

{2 For tho avoidance of dou, it is dectros that for the purposes of this Act, tho authorized ofcer 
Sal Pave all or any o! (he special powers of a paca offer of whatever rank In relation to poses 
vestigations in saizablo cases as providad for undor tho Criminal Procodure Coda [Act 593, and 
such powers shell ba m addition to the powers provided for under this Act and net in derogation 
thereof, 

Section 113. Search and seizure with warrant 


(1) Hit appears to a Magistrate, upon writen information on oath om the authorized officer ond ater 


ao 


such inquiry as the Mecistrate considers necessary, That there is reasonable cause to believe thet— 
(2) any promises has boon used for; or 
(6) there is in any premises evidence necessary to the conduct ofan investigation into. 


the commission of an offence under ihis Act, he Magiurate may Issue a warrant authorizing de 
futhoraod officor named in tno warrant at any reasonable timo by day or night and wh or wir 
assistance, 1o enter the premisas and il need be by force. 


2 Without aflecting the generalty of subsection (1). the warrant issued by the Magistrate may 
authorize the seare and seizure c 


a} ary compute, book. account, computerized data or other document which contains or is 
Teasonaaly suspected 10 contain information a« i any oflenee suspected ro ove been comiter 


(©) any signboerd, card, ltr, pamghiet, leaflet or noice reaesening or implying that ihe person 
Isregsiered unde is Act or 


(c) any equipment, instument or eril that is reasonably believed to fumish evidence of the 
commission of he offence, 


9) An authorized officer conducting a seorch under subsection (I| may, for the purpose of 
Frvestigting into the offence, search any person who is in or on the premises, 


(4) An authorized officer making a search of a person undor subsection (3) or section 114 may seize 
or take possession cf. and place in sefe custody all tings other than the necessary clothing found 
upon tv person, and any of those things wich there is reason to believe were Ihe instruments or 
oiher evidence of ine offence may be detained unul the discharge or aequital of the person, 


(5) Whenever itis necessary lo cause a woman to be searched, the search shall be mede by anther 
waman wih sic regard to decency. 


(6), by the reason of ts nature, size or amount, it i not practicable to remove any computer, bock, 
account, computerized dota or other document, signboard, cord, ter. pamphlet, fefe, notice, 
equipment instment of ance seized unde tis secion, he authorized oficer shall by any means 
Seal suc computar, ook, account, computorzec data or oiher document, siyboard, card, letter, 
Pamphles leas, nico, equpmert, insróment cr arido In tne premises or container in which K 15 
Teure. 


(O) A person who, without tavtut auhorty, breaks, tampers vin or damages the seal refere to in 
Subsecton (6) or romowos any computer, book account, computerized data or ofer document, 
signboard, cord, letter, pamphlet. aft, notce, oqupmont imstumort or article undor soal or 
tempts to do sa commits an offence and shall, on conviction, be ible o a fine not exceeding ty 
thousand ringgit or ta imprisonment for a term not exceeding sx manths er to both. 


‘Section 114, Search and seizure without warrant 


Men authorized officer is satisfied upon information received tht he has reasonable cause to beševe 
tat by reason of delay in obtairing a search warant under section 113 the rvestgetion would be 
adversely affected or evidence of he commission of an offence s key to be tampered wil. 
removed, damaged cr destroyed, the autnoraed oficer may enter tna premises and exercise n, upon 
and in respoct of ho promises all tno powers rotore to in scenam 11 in s land ampie a manor 
asif he were aulherzed lo do so by a warrant eeued under that section 


a 


Section 115, Access to computerized data 


(0) An authorzed officor conducting a search undor soctions 113 and 114 shall bo givon accoss to 
computerized deta whether stored in a computer or otherwise, 


(9 For tho purposes ofthis secton, “accoss" 


G) incluses being provided ih the necessary password, enc:yplon code, decryption code, 
software or hardware ard any other means roqurad to enable comprehension cf computerized 
p 


(b) nas the meaning assigned 10 it by subsections 202) and (8) of the Computer Crimes Act 1987 
ct 563 


Section 118. Warrant admissible notwithstanding defects 


A search warrant issued under ths Act shall be valid and eeforceabie notwithstanding any defect, 
mistako or omission tharair or in the application for such warrart, and any computer, book, account, 
computerized data cr other document, signboard, card, letter, prrpHet, eal notice, eauloment, 
tent» re sia under such warrant shal be advbsiein evidence in ony proceecings 
under is Act 


Section 117. List of computer, book, account, etc., seized 


(0) Except as proved in subsection (2), where any computes, book, account, computerized daa or 
other document, signboard, card, Ite, pamphlet, foll novce, equipment instumert or article s 
Seized pursuant to tns Ac, tna authorized offcor making the saure. 


(2) shall proparo— 


(ia st of the computer. book, account, computerized data or other document, signboard, car, 
eter. pamphiet leaflet. rice, equipment, insrurmen or arie seized ard Shall sign the Ist 
am 


(i) a writen netice of the seizure containing ihe grounds for the seizure ard shall sin the 
notice and 


(0) shall as soon as practicable serve a copy ofthe ist of the computer, book, account 
ompireraed data or othe document signboard. cont leter, pamphlet leaflet naise: equipment 
Instrument or article seized and the wetten norice of tne seizure tothe acer of ne premises 
‘hich have Baen searched, orto hs agent or servant at rose promises. 


© The writen netice of ihe seizure shall not be aquired ta be served in pursuance of paragraph 
LDD) whore tno seizure is mace in tho prosonce ef tho persan agains: whom preceedings under tis 
Act are intended to bo taken, or in the prasence of the eunar of such property or his ager, as the 
case may be. 


KS IE che promis are ence, the authorized officer shall post a copy of Us Hs of the computer, book, 


accoun, contorted data or other document, signboard, card, ot, paps, eft, noc, einen 
instant or article sized conspicuously on the promises. 


n 


Section 118. Release of computer, book, account, etc., seized 


(any computer. book. account, computerized dera or ober document signboard. card. letter. 
Patmphle, lett, noice, crpipmert insinment cr artele has been seized under this Aci the 
auorzed officer ho offoscó the crure may, ator rooring 10 the Pubic Prosacutor, rlease the 
Computer, book, account, computerized data or athar document siq~aoard, card, letet, pamphlet 
leaflet, notice, equipment, instrument cr article to the person as he determines to be lowly ented 
io it, if he computer book, account, computerized data or other document, signboard, card, leter, 
pampres, leaflet, notice, equipment instrument or article is not tabe o forreture under Urs Act, and 
not ofhersise required or te purpose of any proceedings under this Act x far the purpose of any 
Prosecution undar any oihar urktan Iur, and in such ovont neither tn» authorized offer efecing the 
Seizure, noc the Fadaral Government Commissioner or any parson acting on behal ofthe Federal 
Government or Commissionor shall bo liable to ary proceedings by any porson if ho seizure and tho 
release of the computer, book, account, computerized data or other document, signboard, cord letter, 
amphi, leat notice, equipment instrument or arte had been eflected in good fath. 


(2) A racord in witing shall be made by the authorized officor electing the rolaase of tho computer, 
book, account, computerized dota cr other document, signboard, card, let, pamphlet leaflet, notice, 
equipmeni, insiument or arce under subsecton (1) specifying in detail he circumstances of and the 
reason lor he relase, and ho shal send a copy of the record 10 the Publi Prosecutor wilin seven 
days ef Ihe raise 


Section 119. No cost or damages arising from seizure to be recoverable 


No porson shall, in any proceedings bolero any court in respect of any computer, book, account 
computerized date or other document, signboard, cerd, leter, pamphlet, leaflet, notice, equipment, 
insinment or aide seized in te exercise or the purported exercise of any pows conferred under 
this Act. be ented to he Costs of such proceedings or o any damages or other rele unless such 
sebare was made wihout reacersbe cause 


Section 120. Obstruction to search 
Any person who 


(a) retuses any authorizad officer access to any premise bich tne authorized officer is ene to 
avo undor this Act or iri ho axocution of any duty imposod or poner conforrod by this Act; 


(b) assauts, cbstnicts, hinders or delays any authorized olficer in electing any entry wach the 
authorizad otficar is ented t» offot under this Act, orf the execution of any duty imposed or 
Power conferred by this Acti or 


(c) reuses any authorized river any tomation relating to an offence or suspected ence under 
ths: Actor any other information which may reasonably bo roquirod of him and which he has in Fis 
knowledge or poner to gis 


commits an offence and shal, on corvicton, be late to imprisonment for a term not exceeding tun 
erc or io a fino not excooding ton thousand ringgt or to bolh. 


E 


Section 121. Power to require production of computer, book, account, etc. 


An authorized offcor shall, for tho purposes of th» execution of this Act, have the power to do all or 
any ofthe folowing: 


(abo roquro the production ol any computor, book, account, computerized dato or othor 
document kent by the data user or any other person and to inspect, examine and to downlod from 
Them, make capies of them or take extracts from them; 


{to require the production of any idenllication document frer any person in relation to any act 
ar offence under this Aet 


{E} to mace such enquirios as may be necessary to ascertan whether the provisions of this Aet 
have boon compliod with 


Section 122. Power to require attendance of persons acquainted with case 


(0 An authorized officer making an investigation under this Act may by order in wing require the 
attendance before himsel! o ary person aho appears to he authorized officer qo be acquainted wih 
the tacts ard ercumstancas of tno caso, and such person shal artand as «o required 


© I any person refuses ox fails o attend as so required, the authorized officer may repot such 
refusal or fature tc a Magstrate who shall sue a summons to secure te attendance of such person 
as may be required by tne order made under subsection (1) 


Section 123. Examination of persons acquainted with case 


(0) An authorized oficer making an iwvestigation under this Act may examine orally any person 
supposed to be acqueimed with the facts and circumstances ofthe case and shall reduce ino waiting 
any statement made by te perscr so examined. 


(2) Such person shal be bound to answer all questions relating to the case put o him by the 
authorized offcer: 


Provided thet such person may refuse to answer any question the enswer to which would have a 
tendency o expose him o a criminal charge or penay or forfeiture: 


(9) A person making a statement under this section shell be legally bound to state the tut, whether 
or not such tatement is made wholy or parly in ansnerto questions. 


(0) The outhorizod officer examining a person undor subsection (1) shall ist inform that porcon of tho 
provisions of subsectons (2) and (3). 


16) A statoma made by any person ander this section shall, Whenever possible, be takon down in writing anl 
signed by the person maling reid with his thumb print, as dne case may Be, ater has boen read 10 him 
inthe haguoge n wich he mode it and afier he bas been give an opporturity to make any corrections he may 
Eri 


Section 124. Admission of statements in evidence 


(1) Excopt as provided in this section, no statement made by any person to an authorized otficer In 
the course of an investigation mado undor this Act shall bo uses in ovcence. 


(€) Wren any winess is called forthe prosecution or forthe defence, ether than the accused, the 
court shall, on the requost of tho accused or tho prosacutor, reor to any statemonr mado by that 
ness tothe aulhonzed allior tho course of the mvcetigaion undor the As! and mey then, F the 
court inks in the interest of justice, drect the accused to be furishod wth © copy af ond the 
Statement may be used 1o impeach the credi of the wines in the manner provided by the Evidence 


D 


Act 1950 [Act 6) 


(9) Wharo tho accusod had mado a statement during tho courso of an investigation, such statemort 
may be admitted in evidence n support of his defence during the course of the trl 


0) Nothing in tis section shall bo doomed to apply to any ctatemont made in tho course of an 
idertiication parade or fling within section 27 or paragraphs 32/7) (a) () and () of the Evidence Act 
1950. 


(6) When any personis chargod with any offonco in relation to— 
(athe making: or 
onthe conten. 


of any statement made by him to an authorized officer in the course of an iwestigation made under 
this Act that statement may be used as evidence in the prosecution's case. 


Section 125. Forfeiture of computer, book, account, etc., seized 


(0) Any computer, book, account computerized data or other document, sgboue, card. letter. ample 
"ese ric equipment isrumen or article seized shall be Table to foe 


I2) An ceder for the Forfeiture of de computer, book, account, computerized data or other document. signboard. 
rl, lener, pamphlet, eats, nice: equipment instrument or article seized and Tabl to forfeiture under this 
ACI shel! he made by the conn before whieh e prose wiih regard there has been helt HE'S proved t 
the satisfaction of the count thar an offence under is Act has been commited and That the computer, bock, 
account, computerized data or oiher document, signboard, card. letter, pamphlet, eso notice, equipment, 
incra or arile seized was the subject matier of or was ved in the commission ol ihe offence, 
sotoilcancing that no person bas beea convicted of such offence. 


Ir thers ie no prosecution with rogard to any compar, book, account, computerized data or other document, 
signboard. card, letter, pamphlet, leaflet, netice, equipment, instrument oc ariile seized under thls Act, such 
‘computer, book, account, computerized data or ether document sienbond, card, Tetter, pnp, laet. notice, 
ups, iniumen or ance stail be taken and deemed t be forfeited at tbe expiration ofa period of one 
alendis more frorn the te of service of a notice to e as kt address of the person fe whom the 
emit book, acoum computerize data or other document signboard, card. Tetter, pamphlet, leaflet, notice, 
quipe, entrament oe arneo was seized indicating that thore o presciton ia espect of Such computor, 
book, account, computerized data or oihar document, signboard cand, keter, pamphlet, leaflet, oli, 
equipment, instrument or article, unles before ihe expiration of that period a caim thereto is made inthe 
maraner set cu in subsections (4), (3) amd (G) 


V) Any person asserting that he is the owner of the computor, badk, account, computerizod data or oiher 
document. signboard, card, Tetter, pamplet, Leaflet, notice, equipment, instremeat oe article referred o in 
subsection (3) and thet itis not liable to forfekwe may, personally or by his agent authorized in writing. give 
witen notice w ihe authorized ofer n whose possession such computer, book, account, computerized dta 
or otes documen, sig, cand. eter pamphlet, leaflet nes. equipment eo artele el hr 
he cms te computer, book arccrt, computerized data ar other document, signboa card, ter, pamplet 
est notico, equipment, instrumen or article. 


16) On recep of the nonce under subsection (4). the authorized officer stall vefer the mater 10 à Magie for 


(©) The Magistae o hom he mater i referred under subsection (5) shall issue a summors requiring the 
person asserting tat he & le owner af e computer, bock, acount, computerized ra or other documen 
Signboard. cd, Iter, prophet, leaflet, nice, equipe, street or acci nd the person from whom i 
‘vas sed to appear Deom the Magistrale, ond upon (hi appearance or dofaul o appear. ds sarvice of thr 
Sinan loving beer proved, he Magie shall proce to the examination of the metter ad, on proof that 
an offence under this Act has beca conmited ar tht the computer, book, account, computerized daia or ober 


as 


document, signos, card, letter, yerphle, leaflet, notice, equipment, instrument or article seized was the 
Subject mater of or wes used in the commission of uc offence. le Magistrate stall order d crap, Pook, 
accon. compuerizod dita or oiher document, signboard: card. eer. pamphlet, leaflet, notice. equipment, 
Snr or article to o ffs and shall, athe absene of such proof, onder it release” 


D Any conver, book. account. computerized data oc offer cocunent sigrboard, card. letter. ampli 
"es, notice, equipment, strument o arcte fre oc deemed 10 e eris shal! be delivered 19 fc 
Commissioner and shal be dispesd c In such manne as the Commissioner thinks fit 

‘Section 128, Joinder of offences 

Notwithstencing anything contained in section 164 of the Criminal Procedure Code, where a person is 
accused of more than one offence under this Act he may be charged with and Uied at one il for 
"ny number of such offences commited within the space c any length of tine 

Section 127. Power of arrest. 


(1) An authorizad officer or polce olficr may arrest without warrant any person whom ho reasonably 
believes has committed ori attempting 10 commit an offence under this Act 

(2) An authorized officar making an arrest undor subsaeton (1) shall wthout unnecessary delay make 
ovar tho parson so arrostod fo tho noarest polce cficor ov, in tho absence cf a polico officer, tako 
Such person to the nearest polce saton, and thereafter the person shall be deak wih as is provided 


for by the law relating to criminal procedure For the time being in force as il he had been arrested by a 
potice officer, 


PART X- MISCELLANEOUS. 
Section 128. Register 


(0) The Commissioner shall maintain in both physical and ekecroric farms a register as required 
nter s Ret 


© A person may on payment of he prescribed fee— 
(a) inspect the restr: or 
(b) make a copy of or tako extracts from an ontry in tho registr, 
(9) Where a person requests tnat a copy of an any e ihe register be provided in an electron tom, 
the Commissioner may provido tho ralovant information by way of clocronc means, 
Section 129. Transfer of personal data to places outside Malaysia 
(0) A data user shal not transfer any personal data ol a data subject to a place outside Malaysia 
unless to such place as spectied by the Minister, upon the recommendation of the Commissioner, by 
natificaton published in the Gazette. 
) For tho purposes of subsoction (1), tho Ministar may spocify any place outside Malaysia it— 


(a) there is in that place in Torce any law which is substanialy simtar 10 this Act or that serves the 
Samo purposos as this Act cr 


(0) hat piace ensures an adequate ievel of protection in relation o he processing of personal dora 
"Which Isat east aquatan: to the levet o protection airded by ths Act 


as 


|) Notwithstendina subsection (1), a date user mey tronsfer any personal data to a place ouside 
Malaysia i 


(a) the deta subject has given his consent to the transfer 


(O) tho transfor is nocossary for the porformance of a contract between tho data subject and tho 
data user 


(ch the transfor is nacessary fr the conchision or performanca of a contract between the data user 
and a third party which— 


(01s ntorec into at tne request or tne data subject; or 
(y is inthe interess of the data subject: 


(the transfer is for the purpose of any legal proceedings or for the purpose of obtaining legal 
advice or Tor esiabishing, exercisng or defending gal rights, 


(e) the deta user has reasonable grounds for believing that in all circumstances of the case— 
lb the transfor is forthe avoidance or mitigation of adverso action against tho data subject; 
(i) is aot practicable to obtain the corsert in writing f the data subjecto that anster: ad 
fi) fit wes practicable to obtain such consent, the data subject would have given his consent 
(the dors user has taken al reasonable precautions and exercised all due diigence to ensure 
that the personal deta nil not in thet plece be processed in any manner which, if hat place is 
Malaysia, wouid be a cortravention of this Act 
(g) the wansfer is necessary in order to protect the vital interests of the data subject; or 


(h) tho transfor is necessary as baing in the public interest in cireumstances as determined by the 
Mister. 


Vy Whara the Commissioner has reasonable grounds for baiioving that i a placa as spoctieg under 
subsecton (1) thero is no longor in forco any law whichis substartlly similar to the Act, or that 
Serves the same purposes ao tis Nc 


{athe Commissionor shall mako such recommendations 1o tho Minstor who shall, her by 
canceling or amending the rotation mode undor subsection (1) cause that pce te cease to be 
‘pace to nich personal data may be Eanslerred under this section, and 


(o) tho data usor shall coaso to transfor any porsonal dato of a data subjoct to such place with 
cet fom the me as specified by the Minizer in he noeation 


(6) A deta user who conttavanes subceioa (1) commits an affenco and shal, on corvicton, bo labio 
ie a fino rot exceeding threo hundred thousand ringat er to marsorment or a torm nor cxcacding 
o years orto both, 


(© For the purposes of this section, “adverse actio in elation to a data subject, means any action 
thet may adversely affect the data subjects rights, benefts, privileges, obligations or interests. 


a 


Section 130, Unlawful collecting, etc, of personal data 
(0) A person shali not knowingly or racklessly, without tho consent ofthe dato usor— 

(0) cot or disclose personai data that hal bythe cata user ox 

(0) rore the disclosure to another person of personal data that is held bythe dara user 
{2) Subsection (1) shall not apply to a person who shows 

(a) that he collecting or cisclosing of persona data or procuring tho discos c personal data— 


(i was nocessary for the purpose of preventing cr detecting s crime or tor the purpose of 
vestigations; or 


(i) was rapira or authorized by ar undar any law or by the order of a court; 


(o) that he acted in the reasonable belief that he had in law the right to collect cr disclose the 
Personal data or to procure the discbsure of the persona! data to the other person: 


(e) that he acted in the reasonable belief that he would have hed the consen cf the data user i the 
ita user had known of the collecting oF disclosing cf personal data or procuring Ihe disclosure of 
persona’ data ard the circumstances of it or 


(Gd) hat the collecting or disclosing of personal deta or procuring the disclosure of personal data 
was justfed as being inthe pubic interest in cicumstances as determined by ie Mito 


©) A person who collects or discloses personal dato or procures the disclosure of personal data in 
contravention af subsector (7) coments an offence: 


(4) A person who sells personal deta commits an offenceif he has collecied the personal data in 
contravention of subsector (9 


{© A person who offers to sell personal data commits on offence it— 
(a) he has collected tho personal data in contravention of subsection (1); or 
(0) he subsequently collcis ihe personal data in comravantion af subsection (1). 


(© For the purposes of subsection (5), an advertisement indicating that personal data is or may be for 
sales an ferto sel he personal data. 


(0) A person who commits en offence under this section shal, upon conviction, be Fable to a fine not 


exceeding five hundred thousand tinggi or to imprisonment for a term not exceeding three years or to 
bath 


Section 131. Abetment and attempt punishable as offences 


(1) A person who abots the commission of cr who atiemots to commit any fence undae this Act shall 
be gulky of that offence and shall on conviction, be ole to the punishment provided for hat offence 


(2) A pareon who does any act preperatery to or in furtherance of tha commission of any offence 
undor ths Act shall ba guity of that ofonco and shall on conviction, bo liable to tho punishmart 
provided for the ofleree: 
Providod that any term of imprisonment imposed shall not oxcood ono-hal of the maximum tor 
provided forthe oflenc. 


E 


Section 132. Compounding of offences. 


(1) Tho Commissioner may, with the consent in writing of the Public Prosocutor, compound any 
offence commited by any person under ths Act and prescrióed to be a compoundable offence by 
masking a witen olt» the persen suspected to have commited the offence to compound the 
offence upon payment to the Comaissioner of an amoure of maney not exceedrg ty per centum cf 
the amount af maximum fine for that offence within such time as may be spect in FIS vainen offer. 


(2) An offer under subsection (1) may be made at any time after the offence has been committed but 
belare any prosecution for i has been instituted, and if the amount specified in the offer is not peid 
within he time spectias in the offer or such extended ime as the Commissioner may gam. 
Prosecution for he cflence may be insted at any tme afer that agamst tre person to wnom the 
for ies made. 


E Where an offence has been compounded under subsection [1) no prasecuton shall be Insitued 
respect of tha ofence against tha person to hem the fler lo compound was made, and any 
computor, book, account, computerized data or othor document, signboard; cord, lotier, pomphlol 
looftt, notice, equpmen, insrument or article seized in connection wih the flerce may bo released 
or forfeited by the Commissioner, subjecto such terms and conditions es he think ft to impose in 
accardence with the conditions of Ie compound, 


40) Al sums of money roceived by the Commissioner under this seztion shall be paid into the Federal 
‘Consolidated Fund, 


Section 133. Offences by body corporate 


(0 1 à body corporate commits an offence under itis Act, any person who at the time of the 
commission of ine blanco nas a drocior, chi! exacisve officer, cH operaing ofiar, manager, 
Secretary or other similar oir c no body corporate or was purparng to act any suen capaety oF 
was in any manner or to any eaten responsibi for tho managemart of any of tho affars cf tno body 
Corporate a was asasting in such management 


9) may be charged saveraly or int in the sema praceedings with the body corperate; and 
Cit the body corporate is found to have commited the offence, shall be deemed 1o have 
Committed tno conce unless, having regard to he nature of his Functions in that capact and to 
all ereumstances, he proves— 


(0 thatthe offosco was commited without his knowiedge, consent or connivance; and 


(i) that he had taken all rezsonable precautions and exercised due diigence to prevent the 
comission ofthe offence, 


(2) f any person woud be liable under this Act to any punishment or penalty for his act, omission, 
negl or default he shall be liable to the seme punishment or pally for every such acl omission, 
neglect or defaut of ary empioyee or agent af his, or of he empkiyee of ihe agent if the adt, 
omission noget or dota was commitec 


(a) by tat person's employ 


e in the course of his employment: 
(o) by the agent when acting on behalf ofthat person: or 


{el by the omployoo of tho agent in tho courso of his employment by the agert or aliervisa on 
behal of then agert acting on behalf of that persen. 


a 


Section 134, Prosecution 


Ho prosecution for an offonco undor this Act shal bo insituted except by or wèh the writton consent of 
the Pubis Prosecutor. 


Section 135. Jurisdiction to try offences 


Norwithsending any ather written taw to the contary, à Sessions Court shal have juriscietion to ry 
Any etterce under this Act and t impose fll punishment for any such offence under tis et 


Section 138. Service of notices or other documents 
(0) Service of a notice or any other document upon any person shall be elfecied — 
(o) by tre dotverng tho notico or other document to the porsore 


(by leaving tne notice or ether document at the last-known address cf residence or piace cr 
Business of tho person in a couse actrossod to that parson: or 


(C) by forwarding he notice or other document by post an AR. registered letter addressed ro the 
Porson at his facram adress of resHenco ar pace of snes 


© Where the person to whom there has been addressed an AR registered eter containing any 
nice or other document whch may be given uncer ths Act IS informed of he fact that here s an 
AR. registered letter sung him at a post office, amd such person refuses or neglects to take 
dolvary ol such AR. registerad lator, such notico. or othar cocumont shall bo decmod to havo boon 
served upon him on the date on which he was so iorod, 


‘Section 137. Public Authorities Protection Act 1948 
The Public Authorities Protection Act 1948 [Act 195) shall apply to any action, sui. prosecution or 
proceedings agains! the Commissioner, Deputy Commissioner, Assistant Commissioner, any ofcor 
Dr sorvani cf he Commissioner, any member o! the Advisory Commitee, any member, cicer cr 
Servant of tha Appoal Tribunal, or any authorzod offcar in respect of any aci negict cr defauit dono 
or mitad by him or in such capaci, 


Section 138. Public servant. 
The Commissioner. Deputy Commissioner, Assistent Commissione, any officer or servart of the 
Commissioner, any member af the Acuisery Committee, any member cicer or servant of he Appeal 
"iriunal, or any authored ofica hio cischareing his outy er porfarming his Functions ar oxercsing 
his pots under tus Actin such capacity shall be Geerned to be a pualic servant bin tha meaning 
ofthe Penal Code [Act 574, 


Section 139. Protection against suit and legal proceedings 


No action, suit. prosecution or oiher proceedings shall le or be brought irsttuled or maintained in 
any cour against 


(a) he Commissioner, Deputy Commissioner, Assistant Cormmissioner or any officer or servant of 
the Commissioner 


1b) any member of the Advisory Committee; 
(6) any member, aficar or sarvant ofthe Appel Tribunal; o 
(2) ary autrorizod offer, 

lr tespect of any act or omission done or omitted by him or itin good faith in such capacity 
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Section 140, Protection of informers 


(0) Excopt as provided in subsections (2) and (3), no witnoss in any cil or criminal proceedings 
purcuent ta this Act shal be obliged or permitted to disclose the name cr address of any niormer cr 
the substance and nature cf the information received from him or siate any mater which might ead to 
his discovery. 


(2) I any comouter, book, account, computerized data or other document, signboard, cad, letter, 
amphi, leaflet, notice, equipment insument or anile which is in evidence er is liable to inspection 
Fray cil or crimel proceedings whatsoover contains any envy in win any informer s named oF 
described or whet might lead Io his discovery, the cour: sal eause all such envies 19 he cepeesled 
from view or to be obierated in so aras may bo necessary to protect the iformr rem discovry. 


(9) rina wal for ary offence under this Act the cour. aller ful inquiry into the case, is of the opinion 
trex tne Former lly made In Fis compa a materia statement wich he Knew or Dalec 10 ba 
eise or cid not beleve to be rum or it in any other proceedings the court 1s of the opinion thet justice 
cannot bo fully done between the parios in tho prococcing wthout the discovery of tho informer, tho 
court moy require the production ofthe cxiginal compleiny if in veting. and permit an inquiry ond 
require full dclosure concerning the informer, 


Section 141. Obligation of secrecy 


C) Exeopt for any of ma purposes of this Act or for tho purposas of any ciil or enminal proceedings 
Under any writan fan or here obverse authorized by the Minster— 


(8h he Commissioner. Deputy Commissioner, Assistant Commissioner. any offer or servant of 
the Commissioner, any member of Ihe Acvary Commitee, any member, efices cr servant a tha 
‘Appeal Tribuna, any authorized oftcer or any person atending any mectng or dolberzor of the 
‘Advisory Commitoo, whether cunng er after he tenure ol office or employment, shall not disclose 
ony infomation obtained by him in the course cf his dutes; and 


(b) no other person who has by any means access to any information or documents rest tothe 
‘ers of the Commissioner shall disclose auch information er document. 


(2) A person who contravenes subsection (1) commits an offence and shal, on corveton, bo lable to 
a fie nat exceeding ane Purdrod thoucard inggit ot to impriorrmot Tora rm rot exceeding ono 
eor or to bath 


Section 142. Things done in anticipation of the enactment of this Act 


Al acts ord things done by any person in preparation for or in rtsipation of the enactment of this Act 
and any exoenditre incurred in relation thereto shal be deemed to have been authorized under this 
[AGL provided that the acts anu things done ere consistent wth the general intention anc purposes of 
this Act and lights and obligations aquired or Incurred as a resi of the doing ofthese acis cr 
things including any expendture incur ed in reiaton thereto shal on the corning mto operation of his 
Act 3o deemed tebe fno rights and obligations of the Commissions 


‘Section 143. Power to make regulation. 


(1) The Minister may make such regulations as may be necessary cr expediont for the purpose cf 
carrying into effet the provisions of Uis Act. 


(2) Without prejudice to the generality of he powers corfered by subsection (1), the Minister may 
eke regulations for all or any of the flowing purposes: 


{2)to regulate all matters relating to tho registration of data usors undor this Ac, including to 
prescribe tie registration fees and renewal fees 
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io regulate all matters necessary for the implementation of the Personal Dare Protection 
Principles; 


(910 regulate procedures in respect of the inspection of personal data systems, investigation of 
Complaints and issuance ct enforcement notices, and al other maters relate o t: 


(Gh to prescribe the offences which may be compounded and the forms to be vsed and the method 
and procedure for compeauncing the offences: 


(elo provide and prescribe tor any fees payeble in connection with the provision of any service or 
‘ny matier under s Act 


(to preserbe any matter for wbich this Act mekes express provision to be made by regulations, 


(g) to proseri all other matlers as are necassay or oxpodient to be prescribed for giing effect to 
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(9) The regulations mado under this section or any othar subsidiary lagslation made under tis Act 
may prescribe for sny act or omission in contention af the regulations or other subsidiary 
legislation to be on offence and moy prescribe for penates of a fine ret exceeding two hurdred and 
fifty thousand ringgit or imorsoment for a term net exceeding two years or lo bath 


Section 144. Prevention of anomalies 


(1) The Mrkster may. by rcr publehec inthe Gazeta, make such medications ta the provisions ef 
"bis Act ae may appoar to him to be nocessary cr oxpodient for tho purpose of removing any 
Aicutios or prevertirg anomalies in consequence of tre coming ito operation of his Act 


(2) The Mirister shall not exercise the powers conferred by subsection (1) after tha expration of one 
year rom tho appointed dat. 


© nis sector, "moatications" means amenoments, adations, deletions ana sutsttutons or any 
provisions of tis Ac 


PART XI - SAVINGS AND TRANSITIONAL PROVISIONS. 


Section 445. Personal data processed before the date of coming into operation 
of this Act 


Where a deta user has collected personal data from the data subject or any third paty before the dave 
of coming into operation cf this Act, he shall comply withthe provisions of his Act win three months 
Irom the date cl corning irto eperation of tis Det 


Section 146. Registration of persons who process personal data before the 
date of coming into operation of this Act 

(1) Subject to subsection (2, any person who at the data of coming to operation oF this Act ater 
alone or joriy or m common wth ofr porsors processes any personal data or has contol over or 


aulberaes the processing of any persona’ data, shell within three mons rom the dat of coming rta 
operation ofthis Act be registered as a data user in accordance withthe provisions ofthis Act. 


(2) Subsoction (1) hall nat apply to a data usar who dees not belong to the class of data users who 
shal bo requited to be registered s dota users in pursuance cf the provisions af Dision 2 of Por I, 
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